1/*
   2 * DRBG: Deterministic Random Bits Generator
   3 *       Based on NIST Recommended DRBG from NIST SP800-90A with the following
   4 *       properties:
   5 *		* CTR DRBG with DF with AES-128, AES-192, AES-256 cores
   6 *		* Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
   7 *		* HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
   8 *		* with and without prediction resistance
   9 *
  10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014
  11 *
  12 * Redistribution and use in source and binary forms, with or without
  13 * modification, are permitted provided that the following conditions
  14 * are met:
  15 * 1. Redistributions of source code must retain the above copyright
  16 *    notice, and the entire permission notice in its entirety,
  17 *    including the disclaimer of warranties.
  18 * 2. Redistributions in binary form must reproduce the above copyright
  19 *    notice, this list of conditions and the following disclaimer in the
  20 *    documentation and/or other materials provided with the distribution.
  21 * 3. The name of the author may not be used to endorse or promote
  22 *    products derived from this software without specific prior
  23 *    written permission.
  24 *
  25 * ALTERNATIVELY, this product may be distributed under the terms of
  26 * the GNU General Public License, in which case the provisions of the GPL are
  27 * required INSTEAD OF the above restrictions.  (This clause is
  28 * necessary due to a potential bad interaction between the GPL and
  29 * the restrictions contained in a BSD-style copyright.)
  30 *
  31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
  32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
  34 * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
  35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
  37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
  38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
  41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
  42 * DAMAGE.
  43 *
  44 * DRBG Usage
  45 * ==========
  46 * The SP 800-90A DRBG allows the user to specify a personalization string
  47 * for initialization as well as an additional information string for each
  48 * random number request. The following code fragments show how a caller
  49 * uses the kernel crypto API to use the full functionality of the DRBG.
  50 *
  51 * Usage without any additional data
  52 * ---------------------------------
  53 * struct crypto_rng *drng;
  54 * int err;
  55 * char data[DATALEN];
  56 *
  57 * drng = crypto_alloc_rng(drng_name, 0, 0);
  58 * err = crypto_rng_get_bytes(drng, &data, DATALEN);
  59 * crypto_free_rng(drng);
  60 *
  61 *
  62 * Usage with personalization string during initialization
  63 * -------------------------------------------------------
  64 * struct crypto_rng *drng;
  65 * int err;
  66 * char data[DATALEN];
  67 * struct drbg_string pers;
  68 * char personalization[11] = "some-string";
  69 *
  70 * drbg_string_fill(&pers, personalization, strlen(personalization));
  71 * drng = crypto_alloc_rng(drng_name, 0, 0);
  72 * // The reset completely re-initializes the DRBG with the provided
  73 * // personalization string
  74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization));
  75 * err = crypto_rng_get_bytes(drng, &data, DATALEN);
  76 * crypto_free_rng(drng);
  77 *
  78 *
  79 * Usage with additional information string during random number request
  80 * ---------------------------------------------------------------------
  81 * struct crypto_rng *drng;
  82 * int err;
  83 * char data[DATALEN];
  84 * char addtl_string[11] = "some-string";
  85 * string drbg_string addtl;
  86 *
  87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
  88 * drng = crypto_alloc_rng(drng_name, 0, 0);
  89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns
  90 * // the same error codes.
  91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl);
  92 * crypto_free_rng(drng);
  93 *
  94 *
  95 * Usage with personalization and additional information strings
  96 * -------------------------------------------------------------
  97 * Just mix both scenarios above.
  98 */
  99
 100#include <crypto/drbg.h>
 101#include <crypto/internal/cipher.h>
 102#include <linux/kernel.h>
 103#include <linux/jiffies.h>
 104
 105/***************************************************************
 106 * Backend cipher definitions available to DRBG
 107 ***************************************************************/
 108
 109/*
 110 * The order of the DRBG definitions here matter: every DRBG is registered
 111 * as stdrng. Each DRBG receives an increasing cra_priority values the later
 112 * they are defined in this array (see drbg_fill_array).
 113 *
 114 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the
 115 * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the
 116 * favored DRBGs are the latest entries in this array.
 117 */
 118static const struct drbg_core drbg_cores[] = {
 119#ifdef CONFIG_CRYPTO_DRBG_CTR
 120	{
 121		.flags = DRBG_CTR | DRBG_STRENGTH128,
 122		.statelen = 32, /* 256 bits as defined in 10.2.1 */
 123		.blocklen_bytes = 16,
 124		.cra_name = "ctr_aes128",
 125		.backend_cra_name = "aes",
 126	}, {
 127		.flags = DRBG_CTR | DRBG_STRENGTH192,
 128		.statelen = 40, /* 320 bits as defined in 10.2.1 */
 129		.blocklen_bytes = 16,
 130		.cra_name = "ctr_aes192",
 131		.backend_cra_name = "aes",
 132	}, {
 133		.flags = DRBG_CTR | DRBG_STRENGTH256,
 134		.statelen = 48, /* 384 bits as defined in 10.2.1 */
 135		.blocklen_bytes = 16,
 136		.cra_name = "ctr_aes256",
 137		.backend_cra_name = "aes",
 138	},
 139#endif /* CONFIG_CRYPTO_DRBG_CTR */
 140#ifdef CONFIG_CRYPTO_DRBG_HASH
 141	{
 
 
 
 
 
 
 142		.flags = DRBG_HASH | DRBG_STRENGTH256,
 143		.statelen = 111, /* 888 bits */
 144		.blocklen_bytes = 48,
 145		.cra_name = "sha384",
 146		.backend_cra_name = "sha384",
 147	}, {
 148		.flags = DRBG_HASH | DRBG_STRENGTH256,
 149		.statelen = 111, /* 888 bits */
 150		.blocklen_bytes = 64,
 151		.cra_name = "sha512",
 152		.backend_cra_name = "sha512",
 153	}, {
 154		.flags = DRBG_HASH | DRBG_STRENGTH256,
 155		.statelen = 55, /* 440 bits */
 156		.blocklen_bytes = 32,
 157		.cra_name = "sha256",
 158		.backend_cra_name = "sha256",
 159	},
 160#endif /* CONFIG_CRYPTO_DRBG_HASH */
 161#ifdef CONFIG_CRYPTO_DRBG_HMAC
 162	{
 
 
 
 
 
 
 163		.flags = DRBG_HMAC | DRBG_STRENGTH256,
 164		.statelen = 48, /* block length of cipher */
 165		.blocklen_bytes = 48,
 166		.cra_name = "hmac_sha384",
 167		.backend_cra_name = "hmac(sha384)",
 168	}, {
 169		.flags = DRBG_HMAC | DRBG_STRENGTH256,
 170		.statelen = 32, /* block length of cipher */
 171		.blocklen_bytes = 32,
 172		.cra_name = "hmac_sha256",
 173		.backend_cra_name = "hmac(sha256)",
 174	}, {
 175		.flags = DRBG_HMAC | DRBG_STRENGTH256,
 176		.statelen = 64, /* block length of cipher */
 177		.blocklen_bytes = 64,
 178		.cra_name = "hmac_sha512",
 179		.backend_cra_name = "hmac(sha512)",
 180	},
 181#endif /* CONFIG_CRYPTO_DRBG_HMAC */
 182};
 183
 184static int drbg_uninstantiate(struct drbg_state *drbg);
 185
 186/******************************************************************
 187 * Generic helper functions
 188 ******************************************************************/
 189
 190/*
 191 * Return strength of DRBG according to SP800-90A section 8.4
 192 *
 193 * @flags DRBG flags reference
 194 *
 195 * Return: normalized strength in *bytes* value or 32 as default
 196 *	   to counter programming errors
 197 */
 198static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
 199{
 200	switch (flags & DRBG_STRENGTH_MASK) {
 201	case DRBG_STRENGTH128:
 202		return 16;
 203	case DRBG_STRENGTH192:
 204		return 24;
 205	case DRBG_STRENGTH256:
 206		return 32;
 207	default:
 208		return 32;
 209	}
 210}
 211
 212/*
 213 * FIPS 140-2 continuous self test for the noise source
 214 * The test is performed on the noise source input data. Thus, the function
 215 * implicitly knows the size of the buffer to be equal to the security
 216 * strength.
 217 *
 218 * Note, this function disregards the nonce trailing the entropy data during
 219 * initial seeding.
 220 *
 221 * drbg->drbg_mutex must have been taken.
 222 *
 223 * @drbg DRBG handle
 224 * @entropy buffer of seed data to be checked
 225 *
 226 * return:
 227 *	0 on success
 228 *	-EAGAIN on when the CTRNG is not yet primed
 229 *	< 0 on error
 230 */
 231static int drbg_fips_continuous_test(struct drbg_state *drbg,
 232				     const unsigned char *entropy)
 233{
 234	unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
 235	int ret = 0;
 236
 237	if (!IS_ENABLED(CONFIG_CRYPTO_FIPS))
 238		return 0;
 239
 240	/* skip test if we test the overall system */
 241	if (list_empty(&drbg->test_data.list))
 242		return 0;
 243	/* only perform test in FIPS mode */
 244	if (!fips_enabled)
 245		return 0;
 246
 247	if (!drbg->fips_primed) {
 248		/* Priming of FIPS test */
 249		memcpy(drbg->prev, entropy, entropylen);
 250		drbg->fips_primed = true;
 251		/* priming: another round is needed */
 252		return -EAGAIN;
 253	}
 254	ret = memcmp(drbg->prev, entropy, entropylen);
 255	if (!ret)
 256		panic("DRBG continuous self test failed\n");
 257	memcpy(drbg->prev, entropy, entropylen);
 258
 259	/* the test shall pass when the two values are not equal */
 260	return 0;
 261}
 262
 263/*
 264 * Convert an integer into a byte representation of this integer.
 265 * The byte representation is big-endian
 266 *
 267 * @val value to be converted
 268 * @buf buffer holding the converted integer -- caller must ensure that
 269 *      buffer size is at least 32 bit
 270 */
 271#if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR))
 272static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf)
 273{
 274	struct s {
 275		__be32 conv;
 276	};
 277	struct s *conversion = (struct s *) buf;
 278
 279	conversion->conv = cpu_to_be32(val);
 280}
 281#endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */
 282
 283/******************************************************************
 284 * CTR DRBG callback functions
 285 ******************************************************************/
 286
 287#ifdef CONFIG_CRYPTO_DRBG_CTR
 288#define CRYPTO_DRBG_CTR_STRING "CTR "
 289MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
 290MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
 291MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
 292MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
 293MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
 294MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
 295
 296static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
 297				 const unsigned char *key);
 298static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
 299			  const struct drbg_string *in);
 300static int drbg_init_sym_kernel(struct drbg_state *drbg);
 301static int drbg_fini_sym_kernel(struct drbg_state *drbg);
 302static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
 303			      u8 *inbuf, u32 inbuflen,
 304			      u8 *outbuf, u32 outlen);
 305#define DRBG_OUTSCRATCHLEN 256
 306
 307/* BCC function for CTR DRBG as defined in 10.4.3 */
 308static int drbg_ctr_bcc(struct drbg_state *drbg,
 309			unsigned char *out, const unsigned char *key,
 310			struct list_head *in)
 311{
 312	int ret = 0;
 313	struct drbg_string *curr = NULL;
 314	struct drbg_string data;
 315	short cnt = 0;
 316
 317	drbg_string_fill(&data, out, drbg_blocklen(drbg));
 318
 319	/* 10.4.3 step 2 / 4 */
 320	drbg_kcapi_symsetkey(drbg, key);
 321	list_for_each_entry(curr, in, list) {
 322		const unsigned char *pos = curr->buf;
 323		size_t len = curr->len;
 324		/* 10.4.3 step 4.1 */
 325		while (len) {
 326			/* 10.4.3 step 4.2 */
 327			if (drbg_blocklen(drbg) == cnt) {
 328				cnt = 0;
 329				ret = drbg_kcapi_sym(drbg, out, &data);
 330				if (ret)
 331					return ret;
 332			}
 333			out[cnt] ^= *pos;
 334			pos++;
 335			cnt++;
 336			len--;
 337		}
 338	}
 339	/* 10.4.3 step 4.2 for last block */
 340	if (cnt)
 341		ret = drbg_kcapi_sym(drbg, out, &data);
 342
 343	return ret;
 344}
 345
 346/*
 347 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df
 348 * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
 349 * the scratchpad is used as follows:
 350 * drbg_ctr_update:
 351 *	temp
 352 *		start: drbg->scratchpad
 353 *		length: drbg_statelen(drbg) + drbg_blocklen(drbg)
 354 *			note: the cipher writing into this variable works
 355 *			blocklen-wise. Now, when the statelen is not a multiple
 356 *			of blocklen, the generateion loop below "spills over"
 357 *			by at most blocklen. Thus, we need to give sufficient
 358 *			memory.
 359 *	df_data
 360 *		start: drbg->scratchpad +
 361 *				drbg_statelen(drbg) + drbg_blocklen(drbg)
 362 *		length: drbg_statelen(drbg)
 363 *
 364 * drbg_ctr_df:
 365 *	pad
 366 *		start: df_data + drbg_statelen(drbg)
 367 *		length: drbg_blocklen(drbg)
 368 *	iv
 369 *		start: pad + drbg_blocklen(drbg)
 370 *		length: drbg_blocklen(drbg)
 371 *	temp
 372 *		start: iv + drbg_blocklen(drbg)
 373 *		length: drbg_satelen(drbg) + drbg_blocklen(drbg)
 374 *			note: temp is the buffer that the BCC function operates
 375 *			on. BCC operates blockwise. drbg_statelen(drbg)
 376 *			is sufficient when the DRBG state length is a multiple
 377 *			of the block size. For AES192 (and maybe other ciphers)
 378 *			this is not correct and the length for temp is
 379 *			insufficient (yes, that also means for such ciphers,
 380 *			the final output of all BCC rounds are truncated).
 381 *			Therefore, add drbg_blocklen(drbg) to cover all
 382 *			possibilities.
 383 */
 384
 385/* Derivation Function for CTR DRBG as defined in 10.4.2 */
 386static int drbg_ctr_df(struct drbg_state *drbg,
 387		       unsigned char *df_data, size_t bytes_to_return,
 388		       struct list_head *seedlist)
 389{
 390	int ret = -EFAULT;
 391	unsigned char L_N[8];
 392	/* S3 is input */
 393	struct drbg_string S1, S2, S4, cipherin;
 394	LIST_HEAD(bcc_list);
 395	unsigned char *pad = df_data + drbg_statelen(drbg);
 396	unsigned char *iv = pad + drbg_blocklen(drbg);
 397	unsigned char *temp = iv + drbg_blocklen(drbg);
 398	size_t padlen = 0;
 399	unsigned int templen = 0;
 400	/* 10.4.2 step 7 */
 401	unsigned int i = 0;
 402	/* 10.4.2 step 8 */
 403	const unsigned char *K = (unsigned char *)
 404			   "\x00\x01\x02\x03\x04\x05\x06\x07"
 405			   "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
 406			   "\x10\x11\x12\x13\x14\x15\x16\x17"
 407			   "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
 408	unsigned char *X;
 409	size_t generated_len = 0;
 410	size_t inputlen = 0;
 411	struct drbg_string *seed = NULL;
 412
 413	memset(pad, 0, drbg_blocklen(drbg));
 414	memset(iv, 0, drbg_blocklen(drbg));
 415
 416	/* 10.4.2 step 1 is implicit as we work byte-wise */
 417
 418	/* 10.4.2 step 2 */
 419	if ((512/8) < bytes_to_return)
 420		return -EINVAL;
 421
 422	/* 10.4.2 step 2 -- calculate the entire length of all input data */
 423	list_for_each_entry(seed, seedlist, list)
 424		inputlen += seed->len;
 425	drbg_cpu_to_be32(inputlen, &L_N[0]);
 426
 427	/* 10.4.2 step 3 */
 428	drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
 429
 430	/* 10.4.2 step 5: length is L_N, input_string, one byte, padding */
 431	padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
 432	/* wrap the padlen appropriately */
 433	if (padlen)
 434		padlen = drbg_blocklen(drbg) - padlen;
 435	/*
 436	 * pad / padlen contains the 0x80 byte and the following zero bytes.
 437	 * As the calculated padlen value only covers the number of zero
 438	 * bytes, this value has to be incremented by one for the 0x80 byte.
 439	 */
 440	padlen++;
 441	pad[0] = 0x80;
 442
 443	/* 10.4.2 step 4 -- first fill the linked list and then order it */
 444	drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
 445	list_add_tail(&S1.list, &bcc_list);
 446	drbg_string_fill(&S2, L_N, sizeof(L_N));
 447	list_add_tail(&S2.list, &bcc_list);
 448	list_splice_tail(seedlist, &bcc_list);
 449	drbg_string_fill(&S4, pad, padlen);
 450	list_add_tail(&S4.list, &bcc_list);
 451
 452	/* 10.4.2 step 9 */
 453	while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
 454		/*
 455		 * 10.4.2 step 9.1 - the padding is implicit as the buffer
 456		 * holds zeros after allocation -- even the increment of i
 457		 * is irrelevant as the increment remains within length of i
 458		 */
 459		drbg_cpu_to_be32(i, iv);
 460		/* 10.4.2 step 9.2 -- BCC and concatenation with temp */
 461		ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
 462		if (ret)
 463			goto out;
 464		/* 10.4.2 step 9.3 */
 465		i++;
 466		templen += drbg_blocklen(drbg);
 467	}
 468
 469	/* 10.4.2 step 11 */
 470	X = temp + (drbg_keylen(drbg));
 471	drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
 472
 473	/* 10.4.2 step 12: overwriting of outval is implemented in next step */
 474
 475	/* 10.4.2 step 13 */
 476	drbg_kcapi_symsetkey(drbg, temp);
 477	while (generated_len < bytes_to_return) {
 478		short blocklen = 0;
 479		/*
 480		 * 10.4.2 step 13.1: the truncation of the key length is
 481		 * implicit as the key is only drbg_blocklen in size based on
 482		 * the implementation of the cipher function callback
 483		 */
 484		ret = drbg_kcapi_sym(drbg, X, &cipherin);
 485		if (ret)
 486			goto out;
 487		blocklen = (drbg_blocklen(drbg) <
 488				(bytes_to_return - generated_len)) ?
 489			    drbg_blocklen(drbg) :
 490				(bytes_to_return - generated_len);
 491		/* 10.4.2 step 13.2 and 14 */
 492		memcpy(df_data + generated_len, X, blocklen);
 493		generated_len += blocklen;
 494	}
 495
 496	ret = 0;
 497
 498out:
 499	memset(iv, 0, drbg_blocklen(drbg));
 500	memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
 501	memset(pad, 0, drbg_blocklen(drbg));
 502	return ret;
 503}
 504
 505/*
 506 * update function of CTR DRBG as defined in 10.2.1.2
 507 *
 508 * The reseed variable has an enhanced meaning compared to the update
 509 * functions of the other DRBGs as follows:
 510 * 0 => initial seed from initialization
 511 * 1 => reseed via drbg_seed
 512 * 2 => first invocation from drbg_ctr_update when addtl is present. In
 513 *      this case, the df_data scratchpad is not deleted so that it is
 514 *      available for another calls to prevent calling the DF function
 515 *      again.
 516 * 3 => second invocation from drbg_ctr_update. When the update function
 517 *      was called with addtl, the df_data memory already contains the
 518 *      DFed addtl information and we do not need to call DF again.
 519 */
 520static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
 521			   int reseed)
 522{
 523	int ret = -EFAULT;
 524	/* 10.2.1.2 step 1 */
 525	unsigned char *temp = drbg->scratchpad;
 526	unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
 527				 drbg_blocklen(drbg);
 528
 529	if (3 > reseed)
 530		memset(df_data, 0, drbg_statelen(drbg));
 531
 532	if (!reseed) {
 533		/*
 534		 * The DRBG uses the CTR mode of the underlying AES cipher. The
 535		 * CTR mode increments the counter value after the AES operation
 536		 * but SP800-90A requires that the counter is incremented before
 537		 * the AES operation. Hence, we increment it at the time we set
 538		 * it by one.
 539		 */
 540		crypto_inc(drbg->V, drbg_blocklen(drbg));
 541
 542		ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,
 543					     drbg_keylen(drbg));
 544		if (ret)
 545			goto out;
 546	}
 547
 548	/* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
 549	if (seed) {
 550		ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
 551		if (ret)
 552			goto out;
 553	}
 554
 555	ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg),
 556				 temp, drbg_statelen(drbg));
 557	if (ret)
 558		return ret;
 559
 560	/* 10.2.1.2 step 5 */
 561	ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,
 562				     drbg_keylen(drbg));
 563	if (ret)
 564		goto out;
 565	/* 10.2.1.2 step 6 */
 566	memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
 567	/* See above: increment counter by one to compensate timing of CTR op */
 568	crypto_inc(drbg->V, drbg_blocklen(drbg));
 569	ret = 0;
 570
 571out:
 572	memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
 573	if (2 != reseed)
 574		memset(df_data, 0, drbg_statelen(drbg));
 575	return ret;
 576}
 577
 578/*
 579 * scratchpad use: drbg_ctr_update is called independently from
 580 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
 581 */
 582/* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
 583static int drbg_ctr_generate(struct drbg_state *drbg,
 584			     unsigned char *buf, unsigned int buflen,
 585			     struct list_head *addtl)
 586{
 587	int ret;
 588	int len = min_t(int, buflen, INT_MAX);
 589
 590	/* 10.2.1.5.2 step 2 */
 591	if (addtl && !list_empty(addtl)) {
 592		ret = drbg_ctr_update(drbg, addtl, 2);
 593		if (ret)
 594			return 0;
 595	}
 596
 597	/* 10.2.1.5.2 step 4.1 */
 598	ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len);
 599	if (ret)
 600		return ret;
 601
 602	/* 10.2.1.5.2 step 6 */
 603	ret = drbg_ctr_update(drbg, NULL, 3);
 604	if (ret)
 605		len = ret;
 606
 607	return len;
 608}
 609
 610static const struct drbg_state_ops drbg_ctr_ops = {
 611	.update		= drbg_ctr_update,
 612	.generate	= drbg_ctr_generate,
 613	.crypto_init	= drbg_init_sym_kernel,
 614	.crypto_fini	= drbg_fini_sym_kernel,
 615};
 616#endif /* CONFIG_CRYPTO_DRBG_CTR */
 617
 618/******************************************************************
 619 * HMAC DRBG callback functions
 620 ******************************************************************/
 621
 622#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
 623static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
 624			   const struct list_head *in);
 625static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
 626				  const unsigned char *key);
 627static int drbg_init_hash_kernel(struct drbg_state *drbg);
 628static int drbg_fini_hash_kernel(struct drbg_state *drbg);
 629#endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
 630
 631#ifdef CONFIG_CRYPTO_DRBG_HMAC
 632#define CRYPTO_DRBG_HMAC_STRING "HMAC "
 633MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
 634MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
 635MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
 636MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
 637MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
 638MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
 
 
 639
 640/* update function of HMAC DRBG as defined in 10.1.2.2 */
 641static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
 642			    int reseed)
 643{
 644	int ret = -EFAULT;
 645	int i = 0;
 646	struct drbg_string seed1, seed2, vdata;
 647	LIST_HEAD(seedlist);
 648	LIST_HEAD(vdatalist);
 649
 650	if (!reseed) {
 651		/* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */
 652		memset(drbg->V, 1, drbg_statelen(drbg));
 653		drbg_kcapi_hmacsetkey(drbg, drbg->C);
 654	}
 655
 656	drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
 657	list_add_tail(&seed1.list, &seedlist);
 658	/* buffer of seed2 will be filled in for loop below with one byte */
 659	drbg_string_fill(&seed2, NULL, 1);
 660	list_add_tail(&seed2.list, &seedlist);
 661	/* input data of seed is allowed to be NULL at this point */
 662	if (seed)
 663		list_splice_tail(seed, &seedlist);
 664
 665	drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
 666	list_add_tail(&vdata.list, &vdatalist);
 667	for (i = 2; 0 < i; i--) {
 668		/* first round uses 0x0, second 0x1 */
 669		unsigned char prefix = DRBG_PREFIX0;
 670		if (1 == i)
 671			prefix = DRBG_PREFIX1;
 672		/* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
 673		seed2.buf = &prefix;
 674		ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
 675		if (ret)
 676			return ret;
 677		drbg_kcapi_hmacsetkey(drbg, drbg->C);
 678
 679		/* 10.1.2.2 step 2 and 5 -- HMAC for V */
 680		ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
 681		if (ret)
 682			return ret;
 683
 684		/* 10.1.2.2 step 3 */
 685		if (!seed)
 686			return ret;
 687	}
 688
 689	return 0;
 690}
 691
 692/* generate function of HMAC DRBG as defined in 10.1.2.5 */
 693static int drbg_hmac_generate(struct drbg_state *drbg,
 694			      unsigned char *buf,
 695			      unsigned int buflen,
 696			      struct list_head *addtl)
 697{
 698	int len = 0;
 699	int ret = 0;
 700	struct drbg_string data;
 701	LIST_HEAD(datalist);
 702
 703	/* 10.1.2.5 step 2 */
 704	if (addtl && !list_empty(addtl)) {
 705		ret = drbg_hmac_update(drbg, addtl, 1);
 706		if (ret)
 707			return ret;
 708	}
 709
 710	drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
 711	list_add_tail(&data.list, &datalist);
 712	while (len < buflen) {
 713		unsigned int outlen = 0;
 714		/* 10.1.2.5 step 4.1 */
 715		ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
 716		if (ret)
 717			return ret;
 718		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
 719			  drbg_blocklen(drbg) : (buflen - len);
 720
 721		/* 10.1.2.5 step 4.2 */
 722		memcpy(buf + len, drbg->V, outlen);
 723		len += outlen;
 724	}
 725
 726	/* 10.1.2.5 step 6 */
 727	if (addtl && !list_empty(addtl))
 728		ret = drbg_hmac_update(drbg, addtl, 1);
 729	else
 730		ret = drbg_hmac_update(drbg, NULL, 1);
 731	if (ret)
 732		return ret;
 733
 734	return len;
 735}
 736
 737static const struct drbg_state_ops drbg_hmac_ops = {
 738	.update		= drbg_hmac_update,
 739	.generate	= drbg_hmac_generate,
 740	.crypto_init	= drbg_init_hash_kernel,
 741	.crypto_fini	= drbg_fini_hash_kernel,
 742};
 743#endif /* CONFIG_CRYPTO_DRBG_HMAC */
 744
 745/******************************************************************
 746 * Hash DRBG callback functions
 747 ******************************************************************/
 748
 749#ifdef CONFIG_CRYPTO_DRBG_HASH
 750#define CRYPTO_DRBG_HASH_STRING "HASH "
 751MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
 752MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
 753MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
 754MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
 755MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
 756MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
 
 
 757
 758/*
 759 * Increment buffer
 760 *
 761 * @dst buffer to increment
 762 * @add value to add
 763 */
 764static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
 765				const unsigned char *add, size_t addlen)
 766{
 767	/* implied: dstlen > addlen */
 768	unsigned char *dstptr;
 769	const unsigned char *addptr;
 770	unsigned int remainder = 0;
 771	size_t len = addlen;
 772
 773	dstptr = dst + (dstlen-1);
 774	addptr = add + (addlen-1);
 775	while (len) {
 776		remainder += *dstptr + *addptr;
 777		*dstptr = remainder & 0xff;
 778		remainder >>= 8;
 779		len--; dstptr--; addptr--;
 780	}
 781	len = dstlen - addlen;
 782	while (len && remainder > 0) {
 783		remainder = *dstptr + 1;
 784		*dstptr = remainder & 0xff;
 785		remainder >>= 8;
 786		len--; dstptr--;
 787	}
 788}
 789
 790/*
 791 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
 792 * interlinked, the scratchpad is used as follows:
 793 * drbg_hash_update
 794 *	start: drbg->scratchpad
 795 *	length: drbg_statelen(drbg)
 796 * drbg_hash_df:
 797 *	start: drbg->scratchpad + drbg_statelen(drbg)
 798 *	length: drbg_blocklen(drbg)
 799 *
 800 * drbg_hash_process_addtl uses the scratchpad, but fully completes
 801 * before either of the functions mentioned before are invoked. Therefore,
 802 * drbg_hash_process_addtl does not need to be specifically considered.
 803 */
 804
 805/* Derivation Function for Hash DRBG as defined in 10.4.1 */
 806static int drbg_hash_df(struct drbg_state *drbg,
 807			unsigned char *outval, size_t outlen,
 808			struct list_head *entropylist)
 809{
 810	int ret = 0;
 811	size_t len = 0;
 812	unsigned char input[5];
 813	unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
 814	struct drbg_string data;
 815
 816	/* 10.4.1 step 3 */
 817	input[0] = 1;
 818	drbg_cpu_to_be32((outlen * 8), &input[1]);
 819
 820	/* 10.4.1 step 4.1 -- concatenation of data for input into hash */
 821	drbg_string_fill(&data, input, 5);
 822	list_add(&data.list, entropylist);
 823
 824	/* 10.4.1 step 4 */
 825	while (len < outlen) {
 826		short blocklen = 0;
 827		/* 10.4.1 step 4.1 */
 828		ret = drbg_kcapi_hash(drbg, tmp, entropylist);
 829		if (ret)
 830			goto out;
 831		/* 10.4.1 step 4.2 */
 832		input[0]++;
 833		blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
 834			    drbg_blocklen(drbg) : (outlen - len);
 835		memcpy(outval + len, tmp, blocklen);
 836		len += blocklen;
 837	}
 838
 839out:
 840	memset(tmp, 0, drbg_blocklen(drbg));
 841	return ret;
 842}
 843
 844/* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
 845static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
 846			    int reseed)
 847{
 848	int ret = 0;
 849	struct drbg_string data1, data2;
 850	LIST_HEAD(datalist);
 851	LIST_HEAD(datalist2);
 852	unsigned char *V = drbg->scratchpad;
 853	unsigned char prefix = DRBG_PREFIX1;
 854
 855	if (!seed)
 856		return -EINVAL;
 857
 858	if (reseed) {
 859		/* 10.1.1.3 step 1 */
 860		memcpy(V, drbg->V, drbg_statelen(drbg));
 861		drbg_string_fill(&data1, &prefix, 1);
 862		list_add_tail(&data1.list, &datalist);
 863		drbg_string_fill(&data2, V, drbg_statelen(drbg));
 864		list_add_tail(&data2.list, &datalist);
 865	}
 866	list_splice_tail(seed, &datalist);
 867
 868	/* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
 869	ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
 870	if (ret)
 871		goto out;
 872
 873	/* 10.1.1.2 / 10.1.1.3 step 4  */
 874	prefix = DRBG_PREFIX0;
 875	drbg_string_fill(&data1, &prefix, 1);
 876	list_add_tail(&data1.list, &datalist2);
 877	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
 878	list_add_tail(&data2.list, &datalist2);
 879	/* 10.1.1.2 / 10.1.1.3 step 4 */
 880	ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
 881
 882out:
 883	memset(drbg->scratchpad, 0, drbg_statelen(drbg));
 884	return ret;
 885}
 886
 887/* processing of additional information string for Hash DRBG */
 888static int drbg_hash_process_addtl(struct drbg_state *drbg,
 889				   struct list_head *addtl)
 890{
 891	int ret = 0;
 892	struct drbg_string data1, data2;
 893	LIST_HEAD(datalist);
 894	unsigned char prefix = DRBG_PREFIX2;
 895
 896	/* 10.1.1.4 step 2 */
 897	if (!addtl || list_empty(addtl))
 898		return 0;
 899
 900	/* 10.1.1.4 step 2a */
 901	drbg_string_fill(&data1, &prefix, 1);
 902	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
 903	list_add_tail(&data1.list, &datalist);
 904	list_add_tail(&data2.list, &datalist);
 905	list_splice_tail(addtl, &datalist);
 906	ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
 907	if (ret)
 908		goto out;
 909
 910	/* 10.1.1.4 step 2b */
 911	drbg_add_buf(drbg->V, drbg_statelen(drbg),
 912		     drbg->scratchpad, drbg_blocklen(drbg));
 913
 914out:
 915	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
 916	return ret;
 917}
 918
 919/* Hashgen defined in 10.1.1.4 */
 920static int drbg_hash_hashgen(struct drbg_state *drbg,
 921			     unsigned char *buf,
 922			     unsigned int buflen)
 923{
 924	int len = 0;
 925	int ret = 0;
 926	unsigned char *src = drbg->scratchpad;
 927	unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
 928	struct drbg_string data;
 929	LIST_HEAD(datalist);
 930
 931	/* 10.1.1.4 step hashgen 2 */
 932	memcpy(src, drbg->V, drbg_statelen(drbg));
 933
 934	drbg_string_fill(&data, src, drbg_statelen(drbg));
 935	list_add_tail(&data.list, &datalist);
 936	while (len < buflen) {
 937		unsigned int outlen = 0;
 938		/* 10.1.1.4 step hashgen 4.1 */
 939		ret = drbg_kcapi_hash(drbg, dst, &datalist);
 940		if (ret) {
 941			len = ret;
 942			goto out;
 943		}
 944		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
 945			  drbg_blocklen(drbg) : (buflen - len);
 946		/* 10.1.1.4 step hashgen 4.2 */
 947		memcpy(buf + len, dst, outlen);
 948		len += outlen;
 949		/* 10.1.1.4 hashgen step 4.3 */
 950		if (len < buflen)
 951			crypto_inc(src, drbg_statelen(drbg));
 952	}
 953
 954out:
 955	memset(drbg->scratchpad, 0,
 956	       (drbg_statelen(drbg) + drbg_blocklen(drbg)));
 957	return len;
 958}
 959
 960/* generate function for Hash DRBG as defined in  10.1.1.4 */
 961static int drbg_hash_generate(struct drbg_state *drbg,
 962			      unsigned char *buf, unsigned int buflen,
 963			      struct list_head *addtl)
 964{
 965	int len = 0;
 966	int ret = 0;
 967	union {
 968		unsigned char req[8];
 969		__be64 req_int;
 970	} u;
 971	unsigned char prefix = DRBG_PREFIX3;
 972	struct drbg_string data1, data2;
 973	LIST_HEAD(datalist);
 974
 975	/* 10.1.1.4 step 2 */
 976	ret = drbg_hash_process_addtl(drbg, addtl);
 977	if (ret)
 978		return ret;
 979	/* 10.1.1.4 step 3 */
 980	len = drbg_hash_hashgen(drbg, buf, buflen);
 981
 982	/* this is the value H as documented in 10.1.1.4 */
 983	/* 10.1.1.4 step 4 */
 984	drbg_string_fill(&data1, &prefix, 1);
 985	list_add_tail(&data1.list, &datalist);
 986	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
 987	list_add_tail(&data2.list, &datalist);
 988	ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
 989	if (ret) {
 990		len = ret;
 991		goto out;
 992	}
 993
 994	/* 10.1.1.4 step 5 */
 995	drbg_add_buf(drbg->V, drbg_statelen(drbg),
 996		     drbg->scratchpad, drbg_blocklen(drbg));
 997	drbg_add_buf(drbg->V, drbg_statelen(drbg),
 998		     drbg->C, drbg_statelen(drbg));
 999	u.req_int = cpu_to_be64(drbg->reseed_ctr);
1000	drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
1001
1002out:
1003	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
1004	return len;
1005}
1006
1007/*
1008 * scratchpad usage: as update and generate are used isolated, both
1009 * can use the scratchpad
1010 */
1011static const struct drbg_state_ops drbg_hash_ops = {
1012	.update		= drbg_hash_update,
1013	.generate	= drbg_hash_generate,
1014	.crypto_init	= drbg_init_hash_kernel,
1015	.crypto_fini	= drbg_fini_hash_kernel,
1016};
1017#endif /* CONFIG_CRYPTO_DRBG_HASH */
1018
1019/******************************************************************
1020 * Functions common for DRBG implementations
1021 ******************************************************************/
1022
1023static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
1024			      int reseed, enum drbg_seed_state new_seed_state)
1025{
1026	int ret = drbg->d_ops->update(drbg, seed, reseed);
1027
1028	if (ret)
1029		return ret;
1030
1031	drbg->seeded = new_seed_state;
1032	drbg->last_seed_time = jiffies;
1033	/* 10.1.1.2 / 10.1.1.3 step 5 */
1034	drbg->reseed_ctr = 1;
1035
1036	switch (drbg->seeded) {
1037	case DRBG_SEED_STATE_UNSEEDED:
1038		/* Impossible, but handle it to silence compiler warnings. */
1039		fallthrough;
1040	case DRBG_SEED_STATE_PARTIAL:
1041		/*
1042		 * Require frequent reseeds until the seed source is
1043		 * fully initialized.
1044		 */
1045		drbg->reseed_threshold = 50;
1046		break;
1047
1048	case DRBG_SEED_STATE_FULL:
1049		/*
1050		 * Seed source has become fully initialized, frequent
1051		 * reseeds no longer required.
1052		 */
1053		drbg->reseed_threshold = drbg_max_requests(drbg);
1054		break;
1055	}
1056
1057	return ret;
1058}
1059
1060static inline int drbg_get_random_bytes(struct drbg_state *drbg,
1061					unsigned char *entropy,
1062					unsigned int entropylen)
1063{
1064	int ret;
1065
1066	do {
1067		get_random_bytes(entropy, entropylen);
1068		ret = drbg_fips_continuous_test(drbg, entropy);
1069		if (ret && ret != -EAGAIN)
1070			return ret;
1071	} while (ret);
1072
1073	return 0;
1074}
1075
1076static int drbg_seed_from_random(struct drbg_state *drbg)
1077{
1078	struct drbg_string data;
1079	LIST_HEAD(seedlist);
 
 
1080	unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1081	unsigned char entropy[32];
1082	int ret;
1083
1084	BUG_ON(!entropylen);
1085	BUG_ON(entropylen > sizeof(entropy));
1086
1087	drbg_string_fill(&data, entropy, entropylen);
1088	list_add_tail(&data.list, &seedlist);
1089
 
 
1090	ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1091	if (ret)
1092		goto out;
1093
1094	ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
 
 
 
1095
1096out:
1097	memzero_explicit(entropy, entropylen);
1098	return ret;
1099}
1100
1101static bool drbg_nopr_reseed_interval_elapsed(struct drbg_state *drbg)
1102{
1103	unsigned long next_reseed;
1104
1105	/* Don't ever reseed from get_random_bytes() in test mode. */
1106	if (list_empty(&drbg->test_data.list))
1107		return false;
1108
1109	/*
1110	 * Obtain fresh entropy for the nopr DRBGs after 300s have
1111	 * elapsed in order to still achieve sort of partial
1112	 * prediction resistance over the time domain at least. Note
1113	 * that the period of 300s has been chosen to match the
1114	 * CRNG_RESEED_INTERVAL of the get_random_bytes()' chacha
1115	 * rngs.
1116	 */
1117	next_reseed = drbg->last_seed_time + 300 * HZ;
1118	return time_after(jiffies, next_reseed);
1119}
1120
1121/*
1122 * Seeding or reseeding of the DRBG
1123 *
1124 * @drbg: DRBG state struct
1125 * @pers: personalization / additional information buffer
1126 * @reseed: 0 for initial seed process, 1 for reseeding
1127 *
1128 * return:
1129 *	0 on success
1130 *	error value otherwise
1131 */
1132static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1133		     bool reseed)
1134{
1135	int ret;
1136	unsigned char entropy[((32 + 16) * 2)];
1137	unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1138	struct drbg_string data1;
1139	LIST_HEAD(seedlist);
1140	enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL;
1141
1142	/* 9.1 / 9.2 / 9.3.1 step 3 */
1143	if (pers && pers->len > (drbg_max_addtl(drbg))) {
1144		pr_devel("DRBG: personalization string too long %zu\n",
1145			 pers->len);
1146		return -EINVAL;
1147	}
1148
1149	if (list_empty(&drbg->test_data.list)) {
1150		drbg_string_fill(&data1, drbg->test_data.buf,
1151				 drbg->test_data.len);
1152		pr_devel("DRBG: using test entropy\n");
1153	} else {
1154		/*
1155		 * Gather entropy equal to the security strength of the DRBG.
1156		 * With a derivation function, a nonce is required in addition
1157		 * to the entropy. A nonce must be at least 1/2 of the security
1158		 * strength of the DRBG in size. Thus, entropy + nonce is 3/2
1159		 * of the strength. The consideration of a nonce is only
1160		 * applicable during initial seeding.
1161		 */
1162		BUG_ON(!entropylen);
1163		if (!reseed)
1164			entropylen = ((entropylen + 1) / 2) * 3;
1165		BUG_ON((entropylen * 2) > sizeof(entropy));
1166
1167		/* Get seed from in-kernel /dev/urandom */
1168		if (!rng_is_initialized())
1169			new_seed_state = DRBG_SEED_STATE_PARTIAL;
1170
1171		ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1172		if (ret)
1173			goto out;
1174
1175		if (!drbg->jent) {
1176			drbg_string_fill(&data1, entropy, entropylen);
1177			pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1178				 entropylen);
1179		} else {
1180			/*
1181			 * Get seed from Jitter RNG, failures are
1182			 * fatal only in FIPS mode.
1183			 */
1184			ret = crypto_rng_get_bytes(drbg->jent,
1185						   entropy + entropylen,
1186						   entropylen);
1187			if (fips_enabled && ret) {
1188				pr_devel("DRBG: jent failed with %d\n", ret);
1189
1190				/*
1191				 * Do not treat the transient failure of the
1192				 * Jitter RNG as an error that needs to be
1193				 * reported. The combined number of the
1194				 * maximum reseed threshold times the maximum
1195				 * number of Jitter RNG transient errors is
1196				 * less than the reseed threshold required by
1197				 * SP800-90A allowing us to treat the
1198				 * transient errors as such.
1199				 *
1200				 * However, we mandate that at least the first
1201				 * seeding operation must succeed with the
1202				 * Jitter RNG.
1203				 */
1204				if (!reseed || ret != -EAGAIN)
1205					goto out;
1206			}
1207
1208			drbg_string_fill(&data1, entropy, entropylen * 2);
1209			pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1210				 entropylen * 2);
1211		}
1212	}
1213	list_add_tail(&data1.list, &seedlist);
1214
1215	/*
1216	 * concatenation of entropy with personalization str / addtl input)
1217	 * the variable pers is directly handed in by the caller, so check its
1218	 * contents whether it is appropriate
1219	 */
1220	if (pers && pers->buf && 0 < pers->len) {
1221		list_add_tail(&pers->list, &seedlist);
1222		pr_devel("DRBG: using personalization string\n");
1223	}
1224
1225	if (!reseed) {
1226		memset(drbg->V, 0, drbg_statelen(drbg));
1227		memset(drbg->C, 0, drbg_statelen(drbg));
1228	}
1229
1230	ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state);
1231
1232out:
1233	memzero_explicit(entropy, entropylen * 2);
1234
1235	return ret;
1236}
1237
1238/* Free all substructures in a DRBG state without the DRBG state structure */
1239static inline void drbg_dealloc_state(struct drbg_state *drbg)
1240{
1241	if (!drbg)
1242		return;
1243	kfree_sensitive(drbg->Vbuf);
1244	drbg->Vbuf = NULL;
1245	drbg->V = NULL;
1246	kfree_sensitive(drbg->Cbuf);
1247	drbg->Cbuf = NULL;
1248	drbg->C = NULL;
1249	kfree_sensitive(drbg->scratchpadbuf);
1250	drbg->scratchpadbuf = NULL;
1251	drbg->reseed_ctr = 0;
1252	drbg->d_ops = NULL;
1253	drbg->core = NULL;
1254	if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1255		kfree_sensitive(drbg->prev);
1256		drbg->prev = NULL;
1257		drbg->fips_primed = false;
1258	}
1259}
1260
1261/*
1262 * Allocate all sub-structures for a DRBG state.
1263 * The DRBG state structure must already be allocated.
1264 */
1265static inline int drbg_alloc_state(struct drbg_state *drbg)
1266{
1267	int ret = -ENOMEM;
1268	unsigned int sb_size = 0;
1269
1270	switch (drbg->core->flags & DRBG_TYPE_MASK) {
1271#ifdef CONFIG_CRYPTO_DRBG_HMAC
1272	case DRBG_HMAC:
1273		drbg->d_ops = &drbg_hmac_ops;
1274		break;
1275#endif /* CONFIG_CRYPTO_DRBG_HMAC */
1276#ifdef CONFIG_CRYPTO_DRBG_HASH
1277	case DRBG_HASH:
1278		drbg->d_ops = &drbg_hash_ops;
1279		break;
1280#endif /* CONFIG_CRYPTO_DRBG_HASH */
1281#ifdef CONFIG_CRYPTO_DRBG_CTR
1282	case DRBG_CTR:
1283		drbg->d_ops = &drbg_ctr_ops;
1284		break;
1285#endif /* CONFIG_CRYPTO_DRBG_CTR */
1286	default:
1287		ret = -EOPNOTSUPP;
1288		goto err;
1289	}
1290
1291	ret = drbg->d_ops->crypto_init(drbg);
1292	if (ret < 0)
1293		goto err;
1294
1295	drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1296	if (!drbg->Vbuf) {
1297		ret = -ENOMEM;
1298		goto fini;
1299	}
1300	drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);
1301	drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1302	if (!drbg->Cbuf) {
1303		ret = -ENOMEM;
1304		goto fini;
1305	}
1306	drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);
1307	/* scratchpad is only generated for CTR and Hash */
1308	if (drbg->core->flags & DRBG_HMAC)
1309		sb_size = 0;
1310	else if (drbg->core->flags & DRBG_CTR)
1311		sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */
1312			  drbg_statelen(drbg) +	/* df_data */
1313			  drbg_blocklen(drbg) +	/* pad */
1314			  drbg_blocklen(drbg) +	/* iv */
1315			  drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */
1316	else
1317		sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1318
1319	if (0 < sb_size) {
1320		drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);
1321		if (!drbg->scratchpadbuf) {
1322			ret = -ENOMEM;
1323			goto fini;
1324		}
1325		drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
1326	}
1327
1328	if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1329		drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
1330				     GFP_KERNEL);
1331		if (!drbg->prev) {
1332			ret = -ENOMEM;
1333			goto fini;
1334		}
1335		drbg->fips_primed = false;
1336	}
1337
1338	return 0;
1339
1340fini:
1341	drbg->d_ops->crypto_fini(drbg);
1342err:
1343	drbg_dealloc_state(drbg);
1344	return ret;
1345}
1346
1347/*************************************************************************
1348 * DRBG interface functions
1349 *************************************************************************/
1350
1351/*
1352 * DRBG generate function as required by SP800-90A - this function
1353 * generates random numbers
1354 *
1355 * @drbg DRBG state handle
1356 * @buf Buffer where to store the random numbers -- the buffer must already
1357 *      be pre-allocated by caller
1358 * @buflen Length of output buffer - this value defines the number of random
1359 *	   bytes pulled from DRBG
1360 * @addtl Additional input that is mixed into state, may be NULL -- note
1361 *	  the entropy is pulled by the DRBG internally unconditionally
1362 *	  as defined in SP800-90A. The additional input is mixed into
1363 *	  the state in addition to the pulled entropy.
1364 *
1365 * return: 0 when all bytes are generated; < 0 in case of an error
1366 */
1367static int drbg_generate(struct drbg_state *drbg,
1368			 unsigned char *buf, unsigned int buflen,
1369			 struct drbg_string *addtl)
1370{
1371	int len = 0;
1372	LIST_HEAD(addtllist);
1373
1374	if (!drbg->core) {
1375		pr_devel("DRBG: not yet seeded\n");
1376		return -EINVAL;
1377	}
1378	if (0 == buflen || !buf) {
1379		pr_devel("DRBG: no output buffer provided\n");
1380		return -EINVAL;
1381	}
1382	if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1383		pr_devel("DRBG: wrong format of additional information\n");
1384		return -EINVAL;
1385	}
1386
1387	/* 9.3.1 step 2 */
1388	len = -EINVAL;
1389	if (buflen > (drbg_max_request_bytes(drbg))) {
1390		pr_devel("DRBG: requested random numbers too large %u\n",
1391			 buflen);
1392		goto err;
1393	}
1394
1395	/* 9.3.1 step 3 is implicit with the chosen DRBG */
1396
1397	/* 9.3.1 step 4 */
1398	if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1399		pr_devel("DRBG: additional information string too long %zu\n",
1400			 addtl->len);
1401		goto err;
1402	}
1403	/* 9.3.1 step 5 is implicit with the chosen DRBG */
1404
1405	/*
1406	 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented
1407	 * here. The spec is a bit convoluted here, we make it simpler.
1408	 */
1409	if (drbg->reseed_threshold < drbg->reseed_ctr)
1410		drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1411
1412	if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) {
1413		pr_devel("DRBG: reseeding before generation (prediction "
1414			 "resistance: %s, state %s)\n",
1415			 drbg->pr ? "true" : "false",
1416			 (drbg->seeded ==  DRBG_SEED_STATE_FULL ?
1417			  "seeded" : "unseeded"));
1418		/* 9.3.1 steps 7.1 through 7.3 */
1419		len = drbg_seed(drbg, addtl, true);
1420		if (len)
1421			goto err;
1422		/* 9.3.1 step 7.4 */
1423		addtl = NULL;
1424	} else if (rng_is_initialized() &&
1425		   (drbg->seeded == DRBG_SEED_STATE_PARTIAL ||
1426		    drbg_nopr_reseed_interval_elapsed(drbg))) {
1427		len = drbg_seed_from_random(drbg);
1428		if (len)
1429			goto err;
1430	}
1431
1432	if (addtl && 0 < addtl->len)
1433		list_add_tail(&addtl->list, &addtllist);
1434	/* 9.3.1 step 8 and 10 */
1435	len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1436
1437	/* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
1438	drbg->reseed_ctr++;
1439	if (0 >= len)
1440		goto err;
1441
1442	/*
1443	 * Section 11.3.3 requires to re-perform self tests after some
1444	 * generated random numbers. The chosen value after which self
1445	 * test is performed is arbitrary, but it should be reasonable.
1446	 * However, we do not perform the self tests because of the following
1447	 * reasons: it is mathematically impossible that the initial self tests
1448	 * were successfully and the following are not. If the initial would
1449	 * pass and the following would not, the kernel integrity is violated.
1450	 * In this case, the entire kernel operation is questionable and it
1451	 * is unlikely that the integrity violation only affects the
1452	 * correct operation of the DRBG.
1453	 *
1454	 * Albeit the following code is commented out, it is provided in
1455	 * case somebody has a need to implement the test of 11.3.3.
1456	 */
1457#if 0
1458	if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1459		int err = 0;
1460		pr_devel("DRBG: start to perform self test\n");
1461		if (drbg->core->flags & DRBG_HMAC)
1462			err = alg_test("drbg_pr_hmac_sha512",
1463				       "drbg_pr_hmac_sha512", 0, 0);
1464		else if (drbg->core->flags & DRBG_CTR)
1465			err = alg_test("drbg_pr_ctr_aes256",
1466				       "drbg_pr_ctr_aes256", 0, 0);
1467		else
1468			err = alg_test("drbg_pr_sha256",
1469				       "drbg_pr_sha256", 0, 0);
1470		if (err) {
1471			pr_err("DRBG: periodical self test failed\n");
1472			/*
1473			 * uninstantiate implies that from now on, only errors
1474			 * are returned when reusing this DRBG cipher handle
1475			 */
1476			drbg_uninstantiate(drbg);
1477			return 0;
1478		} else {
1479			pr_devel("DRBG: self test successful\n");
1480		}
1481	}
1482#endif
1483
1484	/*
1485	 * All operations were successful, return 0 as mandated by
1486	 * the kernel crypto API interface.
1487	 */
1488	len = 0;
1489err:
1490	return len;
1491}
1492
1493/*
1494 * Wrapper around drbg_generate which can pull arbitrary long strings
1495 * from the DRBG without hitting the maximum request limitation.
1496 *
1497 * Parameters: see drbg_generate
1498 * Return codes: see drbg_generate -- if one drbg_generate request fails,
1499 *		 the entire drbg_generate_long request fails
1500 */
1501static int drbg_generate_long(struct drbg_state *drbg,
1502			      unsigned char *buf, unsigned int buflen,
1503			      struct drbg_string *addtl)
1504{
1505	unsigned int len = 0;
1506	unsigned int slice = 0;
1507	do {
1508		int err = 0;
1509		unsigned int chunk = 0;
1510		slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1511		chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1512		mutex_lock(&drbg->drbg_mutex);
1513		err = drbg_generate(drbg, buf + len, chunk, addtl);
1514		mutex_unlock(&drbg->drbg_mutex);
1515		if (0 > err)
1516			return err;
1517		len += chunk;
1518	} while (slice > 0 && (len < buflen));
1519	return 0;
1520}
1521
 
 
 
 
 
 
 
 
1522static int drbg_prepare_hrng(struct drbg_state *drbg)
1523{
 
 
1524	/* We do not need an HRNG in test mode. */
1525	if (list_empty(&drbg->test_data.list))
1526		return 0;
1527
1528	drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1529	if (IS_ERR(drbg->jent)) {
1530		const int err = PTR_ERR(drbg->jent);
1531
1532		drbg->jent = NULL;
1533		if (fips_enabled)
1534			return err;
1535		pr_info("DRBG: Continuing without Jitter RNG\n");
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1536	}
1537
1538	return 0;
 
 
 
 
 
 
1539}
1540
1541/*
1542 * DRBG instantiation function as required by SP800-90A - this function
1543 * sets up the DRBG handle, performs the initial seeding and all sanity
1544 * checks required by SP800-90A
1545 *
1546 * @drbg memory of state -- if NULL, new memory is allocated
1547 * @pers Personalization string that is mixed into state, may be NULL -- note
1548 *	 the entropy is pulled by the DRBG internally unconditionally
1549 *	 as defined in SP800-90A. The additional input is mixed into
1550 *	 the state in addition to the pulled entropy.
1551 * @coreref reference to core
1552 * @pr prediction resistance enabled
1553 *
1554 * return
1555 *	0 on success
1556 *	error value otherwise
1557 */
1558static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1559			    int coreref, bool pr)
1560{
1561	int ret;
1562	bool reseed = true;
1563
1564	pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1565		 "%s\n", coreref, pr ? "enabled" : "disabled");
1566	mutex_lock(&drbg->drbg_mutex);
1567
1568	/* 9.1 step 1 is implicit with the selected DRBG type */
1569
1570	/*
1571	 * 9.1 step 2 is implicit as caller can select prediction resistance
1572	 * and the flag is copied into drbg->flags --
1573	 * all DRBG types support prediction resistance
1574	 */
1575
1576	/* 9.1 step 4 is implicit in  drbg_sec_strength */
1577
1578	if (!drbg->core) {
1579		drbg->core = &drbg_cores[coreref];
1580		drbg->pr = pr;
1581		drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1582		drbg->last_seed_time = 0;
1583		drbg->reseed_threshold = drbg_max_requests(drbg);
1584
1585		ret = drbg_alloc_state(drbg);
1586		if (ret)
1587			goto unlock;
1588
1589		ret = drbg_prepare_hrng(drbg);
1590		if (ret)
1591			goto free_everything;
1592
 
 
 
 
 
 
 
 
1593		reseed = false;
1594	}
1595
1596	ret = drbg_seed(drbg, pers, reseed);
1597
1598	if (ret && !reseed)
1599		goto free_everything;
1600
1601	mutex_unlock(&drbg->drbg_mutex);
1602	return ret;
1603
1604unlock:
1605	mutex_unlock(&drbg->drbg_mutex);
1606	return ret;
1607
1608free_everything:
1609	mutex_unlock(&drbg->drbg_mutex);
1610	drbg_uninstantiate(drbg);
1611	return ret;
1612}
1613
1614/*
1615 * DRBG uninstantiate function as required by SP800-90A - this function
1616 * frees all buffers and the DRBG handle
1617 *
1618 * @drbg DRBG state handle
1619 *
1620 * return
1621 *	0 on success
1622 */
1623static int drbg_uninstantiate(struct drbg_state *drbg)
1624{
 
 
 
 
 
1625	if (!IS_ERR_OR_NULL(drbg->jent))
1626		crypto_free_rng(drbg->jent);
1627	drbg->jent = NULL;
1628
1629	if (drbg->d_ops)
1630		drbg->d_ops->crypto_fini(drbg);
1631	drbg_dealloc_state(drbg);
1632	/* no scrubbing of test_data -- this shall survive an uninstantiate */
1633	return 0;
1634}
1635
1636/*
1637 * Helper function for setting the test data in the DRBG
1638 *
1639 * @drbg DRBG state handle
1640 * @data test data
1641 * @len test data length
1642 */
1643static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
1644				   const u8 *data, unsigned int len)
1645{
1646	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1647
1648	mutex_lock(&drbg->drbg_mutex);
1649	drbg_string_fill(&drbg->test_data, data, len);
1650	mutex_unlock(&drbg->drbg_mutex);
1651}
1652
1653/***************************************************************
1654 * Kernel crypto API cipher invocations requested by DRBG
1655 ***************************************************************/
1656
1657#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1658struct sdesc {
1659	struct shash_desc shash;
1660	char ctx[];
1661};
1662
1663static int drbg_init_hash_kernel(struct drbg_state *drbg)
1664{
1665	struct sdesc *sdesc;
1666	struct crypto_shash *tfm;
1667
1668	tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1669	if (IS_ERR(tfm)) {
1670		pr_info("DRBG: could not allocate digest TFM handle: %s\n",
1671				drbg->core->backend_cra_name);
1672		return PTR_ERR(tfm);
1673	}
1674	BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1675	sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1676			GFP_KERNEL);
1677	if (!sdesc) {
1678		crypto_free_shash(tfm);
1679		return -ENOMEM;
1680	}
1681
1682	sdesc->shash.tfm = tfm;
1683	drbg->priv_data = sdesc;
1684
1685	return 0;
1686}
1687
1688static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1689{
1690	struct sdesc *sdesc = drbg->priv_data;
1691	if (sdesc) {
1692		crypto_free_shash(sdesc->shash.tfm);
1693		kfree_sensitive(sdesc);
1694	}
1695	drbg->priv_data = NULL;
1696	return 0;
1697}
1698
1699static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
1700				  const unsigned char *key)
1701{
1702	struct sdesc *sdesc = drbg->priv_data;
1703
1704	crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1705}
1706
1707static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
1708			   const struct list_head *in)
1709{
1710	struct sdesc *sdesc = drbg->priv_data;
1711	struct drbg_string *input = NULL;
1712
1713	crypto_shash_init(&sdesc->shash);
1714	list_for_each_entry(input, in, list)
1715		crypto_shash_update(&sdesc->shash, input->buf, input->len);
1716	return crypto_shash_final(&sdesc->shash, outval);
1717}
1718#endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
1719
1720#ifdef CONFIG_CRYPTO_DRBG_CTR
1721static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1722{
1723	struct crypto_cipher *tfm =
1724		(struct crypto_cipher *)drbg->priv_data;
1725	if (tfm)
1726		crypto_free_cipher(tfm);
1727	drbg->priv_data = NULL;
1728
1729	if (drbg->ctr_handle)
1730		crypto_free_skcipher(drbg->ctr_handle);
1731	drbg->ctr_handle = NULL;
1732
1733	if (drbg->ctr_req)
1734		skcipher_request_free(drbg->ctr_req);
1735	drbg->ctr_req = NULL;
1736
1737	kfree(drbg->outscratchpadbuf);
1738	drbg->outscratchpadbuf = NULL;
1739
1740	return 0;
1741}
1742
1743static int drbg_init_sym_kernel(struct drbg_state *drbg)
1744{
1745	struct crypto_cipher *tfm;
1746	struct crypto_skcipher *sk_tfm;
1747	struct skcipher_request *req;
1748	unsigned int alignmask;
1749	char ctr_name[CRYPTO_MAX_ALG_NAME];
1750
1751	tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);
1752	if (IS_ERR(tfm)) {
1753		pr_info("DRBG: could not allocate cipher TFM handle: %s\n",
1754				drbg->core->backend_cra_name);
1755		return PTR_ERR(tfm);
1756	}
1757	BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm));
1758	drbg->priv_data = tfm;
1759
1760	if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
1761	    drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
1762		drbg_fini_sym_kernel(drbg);
1763		return -EINVAL;
1764	}
1765	sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0);
1766	if (IS_ERR(sk_tfm)) {
1767		pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n",
1768				ctr_name);
1769		drbg_fini_sym_kernel(drbg);
1770		return PTR_ERR(sk_tfm);
1771	}
1772	drbg->ctr_handle = sk_tfm;
1773	crypto_init_wait(&drbg->ctr_wait);
1774
1775	req = skcipher_request_alloc(sk_tfm, GFP_KERNEL);
1776	if (!req) {
1777		pr_info("DRBG: could not allocate request queue\n");
1778		drbg_fini_sym_kernel(drbg);
1779		return -ENOMEM;
1780	}
1781	drbg->ctr_req = req;
1782	skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
1783						CRYPTO_TFM_REQ_MAY_SLEEP,
1784					crypto_req_done, &drbg->ctr_wait);
1785
1786	alignmask = crypto_skcipher_alignmask(sk_tfm);
1787	drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,
1788					 GFP_KERNEL);
1789	if (!drbg->outscratchpadbuf) {
1790		drbg_fini_sym_kernel(drbg);
1791		return -ENOMEM;
1792	}
1793	drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,
1794					      alignmask + 1);
1795
1796	sg_init_table(&drbg->sg_in, 1);
1797	sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
1798
1799	return alignmask;
1800}
1801
1802static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
1803				 const unsigned char *key)
1804{
1805	struct crypto_cipher *tfm = drbg->priv_data;
 
1806
1807	crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg)));
1808}
1809
1810static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
1811			  const struct drbg_string *in)
1812{
1813	struct crypto_cipher *tfm = drbg->priv_data;
 
1814
1815	/* there is only component in *in */
1816	BUG_ON(in->len < drbg_blocklen(drbg));
1817	crypto_cipher_encrypt_one(tfm, outval, in->buf);
1818	return 0;
1819}
1820
1821static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
1822			      u8 *inbuf, u32 inlen,
1823			      u8 *outbuf, u32 outlen)
1824{
1825	struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;
1826	u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN);
1827	int ret;
1828
1829	if (inbuf) {
1830		/* Use caller-provided input buffer */
1831		sg_set_buf(sg_in, inbuf, inlen);
1832	} else {
1833		/* Use scratchpad for in-place operation */
1834		inlen = scratchpad_use;
1835		memset(drbg->outscratchpad, 0, scratchpad_use);
1836		sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);
1837	}
1838
1839	while (outlen) {
1840		u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN);
1841
1842		/* Output buffer may not be valid for SGL, use scratchpad */
1843		skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out,
1844					   cryptlen, drbg->V);
1845		ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),
1846					&drbg->ctr_wait);
1847		if (ret)
1848			goto out;
1849
1850		crypto_init_wait(&drbg->ctr_wait);
1851
1852		memcpy(outbuf, drbg->outscratchpad, cryptlen);
1853		memzero_explicit(drbg->outscratchpad, cryptlen);
1854
1855		outlen -= cryptlen;
1856		outbuf += cryptlen;
1857	}
1858	ret = 0;
1859
1860out:
1861	return ret;
1862}
1863#endif /* CONFIG_CRYPTO_DRBG_CTR */
1864
1865/***************************************************************
1866 * Kernel crypto API interface to register DRBG
1867 ***************************************************************/
1868
1869/*
1870 * Look up the DRBG flags by given kernel crypto API cra_name
1871 * The code uses the drbg_cores definition to do this
1872 *
1873 * @cra_name kernel crypto API cra_name
1874 * @coreref reference to integer which is filled with the pointer to
1875 *  the applicable core
1876 * @pr reference for setting prediction resistance
1877 *
1878 * return: flags
1879 */
1880static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1881					 int *coreref, bool *pr)
1882{
1883	int i = 0;
1884	size_t start = 0;
1885	int len = 0;
1886
1887	*pr = true;
1888	/* disassemble the names */
1889	if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1890		start = 10;
1891		*pr = false;
1892	} else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1893		start = 8;
1894	} else {
1895		return;
1896	}
1897
1898	/* remove the first part */
1899	len = strlen(cra_driver_name) - start;
1900	for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1901		if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1902			    len)) {
1903			*coreref = i;
1904			return;
1905		}
1906	}
1907}
1908
1909static int drbg_kcapi_init(struct crypto_tfm *tfm)
1910{
1911	struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1912
1913	mutex_init(&drbg->drbg_mutex);
1914
1915	return 0;
1916}
1917
1918static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1919{
1920	drbg_uninstantiate(crypto_tfm_ctx(tfm));
1921}
1922
1923/*
1924 * Generate random numbers invoked by the kernel crypto API:
1925 * The API of the kernel crypto API is extended as follows:
1926 *
1927 * src is additional input supplied to the RNG.
1928 * slen is the length of src.
1929 * dst is the output buffer where random data is to be stored.
1930 * dlen is the length of dst.
1931 */
1932static int drbg_kcapi_random(struct crypto_rng *tfm,
1933			     const u8 *src, unsigned int slen,
1934			     u8 *dst, unsigned int dlen)
1935{
1936	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1937	struct drbg_string *addtl = NULL;
1938	struct drbg_string string;
1939
1940	if (slen) {
1941		/* linked list variable is now local to allow modification */
1942		drbg_string_fill(&string, src, slen);
1943		addtl = &string;
1944	}
1945
1946	return drbg_generate_long(drbg, dst, dlen, addtl);
1947}
1948
1949/*
1950 * Seed the DRBG invoked by the kernel crypto API
1951 */
1952static int drbg_kcapi_seed(struct crypto_rng *tfm,
1953			   const u8 *seed, unsigned int slen)
1954{
1955	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1956	struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1957	bool pr = false;
1958	struct drbg_string string;
1959	struct drbg_string *seed_string = NULL;
1960	int coreref = 0;
1961
1962	drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1963			      &pr);
1964	if (0 < slen) {
1965		drbg_string_fill(&string, seed, slen);
1966		seed_string = &string;
1967	}
1968
1969	return drbg_instantiate(drbg, seed_string, coreref, pr);
1970}
1971
1972/***************************************************************
1973 * Kernel module: code to load the module
1974 ***************************************************************/
1975
1976/*
1977 * Tests as defined in 11.3.2 in addition to the cipher tests: testing
1978 * of the error handling.
1979 *
1980 * Note: testing of failing seed source as defined in 11.3.2 is not applicable
1981 * as seed source of get_random_bytes does not fail.
1982 *
1983 * Note 2: There is no sensible way of testing the reseed counter
1984 * enforcement, so skip it.
1985 */
1986static inline int __init drbg_healthcheck_sanity(void)
1987{
1988	int len = 0;
1989#define OUTBUFLEN 16
1990	unsigned char buf[OUTBUFLEN];
1991	struct drbg_state *drbg = NULL;
1992	int ret;
1993	int rc = -EFAULT;
1994	bool pr = false;
1995	int coreref = 0;
1996	struct drbg_string addtl;
1997	size_t max_addtllen, max_request_bytes;
1998
1999	/* only perform test in FIPS mode */
2000	if (!fips_enabled)
2001		return 0;
2002
2003#ifdef CONFIG_CRYPTO_DRBG_CTR
2004	drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr);
2005#endif
2006#ifdef CONFIG_CRYPTO_DRBG_HASH
2007	drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
2008#endif
2009#ifdef CONFIG_CRYPTO_DRBG_HMAC
2010	drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr);
2011#endif
2012
2013	drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
2014	if (!drbg)
2015		return -ENOMEM;
2016
2017	mutex_init(&drbg->drbg_mutex);
2018	drbg->core = &drbg_cores[coreref];
2019	drbg->reseed_threshold = drbg_max_requests(drbg);
2020
2021	/*
2022	 * if the following tests fail, it is likely that there is a buffer
2023	 * overflow as buf is much smaller than the requested or provided
2024	 * string lengths -- in case the error handling does not succeed
2025	 * we may get an OOPS. And we want to get an OOPS as this is a
2026	 * grave bug.
2027	 */
2028
2029	max_addtllen = drbg_max_addtl(drbg);
2030	max_request_bytes = drbg_max_request_bytes(drbg);
2031	drbg_string_fill(&addtl, buf, max_addtllen + 1);
2032	/* overflow addtllen with additonal info string */
2033	len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
2034	BUG_ON(0 < len);
2035	/* overflow max_bits */
2036	len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
2037	BUG_ON(0 < len);
2038
2039	/* overflow max addtllen with personalization string */
2040	ret = drbg_seed(drbg, &addtl, false);
2041	BUG_ON(0 == ret);
2042	/* all tests passed */
2043	rc = 0;
2044
2045	pr_devel("DRBG: Sanity tests for failure code paths successfully "
2046		 "completed\n");
2047
2048	kfree(drbg);
2049	return rc;
2050}
2051
2052static struct rng_alg drbg_algs[22];
2053
2054/*
2055 * Fill the array drbg_algs used to register the different DRBGs
2056 * with the kernel crypto API. To fill the array, the information
2057 * from drbg_cores[] is used.
2058 */
2059static inline void __init drbg_fill_array(struct rng_alg *alg,
2060					  const struct drbg_core *core, int pr)
2061{
2062	int pos = 0;
2063	static int priority = 200;
2064
2065	memcpy(alg->base.cra_name, "stdrng", 6);
2066	if (pr) {
2067		memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
2068		pos = 8;
2069	} else {
2070		memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
2071		pos = 10;
2072	}
2073	memcpy(alg->base.cra_driver_name + pos, core->cra_name,
2074	       strlen(core->cra_name));
2075
2076	alg->base.cra_priority = priority;
2077	priority++;
2078	/*
2079	 * If FIPS mode enabled, the selected DRBG shall have the
2080	 * highest cra_priority over other stdrng instances to ensure
2081	 * it is selected.
2082	 */
2083	if (fips_enabled)
2084		alg->base.cra_priority += 200;
2085
2086	alg->base.cra_ctxsize 	= sizeof(struct drbg_state);
2087	alg->base.cra_module	= THIS_MODULE;
2088	alg->base.cra_init	= drbg_kcapi_init;
2089	alg->base.cra_exit	= drbg_kcapi_cleanup;
2090	alg->generate		= drbg_kcapi_random;
2091	alg->seed		= drbg_kcapi_seed;
2092	alg->set_ent		= drbg_kcapi_set_entropy;
2093	alg->seedsize		= 0;
2094}
2095
2096static int __init drbg_init(void)
2097{
2098	unsigned int i = 0; /* pointer to drbg_algs */
2099	unsigned int j = 0; /* pointer to drbg_cores */
2100	int ret;
2101
2102	ret = drbg_healthcheck_sanity();
2103	if (ret)
2104		return ret;
2105
2106	if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
2107		pr_info("DRBG: Cannot register all DRBG types"
2108			"(slots needed: %zu, slots available: %zu)\n",
2109			ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
2110		return -EFAULT;
2111	}
2112
2113	/*
2114	 * each DRBG definition can be used with PR and without PR, thus
2115	 * we instantiate each DRBG in drbg_cores[] twice.
2116	 *
2117	 * As the order of placing them into the drbg_algs array matters
2118	 * (the later DRBGs receive a higher cra_priority) we register the
2119	 * prediction resistance DRBGs first as the should not be too
2120	 * interesting.
2121	 */
2122	for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2123		drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
2124	for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2125		drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
2126	return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2127}
2128
2129static void __exit drbg_exit(void)
2130{
2131	crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2132}
2133
2134subsys_initcall(drbg_init);
2135module_exit(drbg_exit);
2136#ifndef CRYPTO_DRBG_HASH_STRING
2137#define CRYPTO_DRBG_HASH_STRING ""
2138#endif
2139#ifndef CRYPTO_DRBG_HMAC_STRING
2140#define CRYPTO_DRBG_HMAC_STRING ""
2141#endif
2142#ifndef CRYPTO_DRBG_CTR_STRING
2143#define CRYPTO_DRBG_CTR_STRING ""
2144#endif
2145MODULE_LICENSE("GPL");
2146MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
2147MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
2148		   "using following cores: "
2149		   CRYPTO_DRBG_HASH_STRING
2150		   CRYPTO_DRBG_HMAC_STRING
2151		   CRYPTO_DRBG_CTR_STRING);
2152MODULE_ALIAS_CRYPTO("stdrng");
2153MODULE_IMPORT_NS(CRYPTO_INTERNAL);