diff options
Diffstat (limited to 'crypto/drbg.c')
-rw-r--r-- | crypto/drbg.c | 2007 |
1 files changed, 2007 insertions, 0 deletions
diff --git a/crypto/drbg.c b/crypto/drbg.c new file mode 100644 index 000000000000..faaa2cefeeed --- /dev/null +++ b/crypto/drbg.c | |||
@@ -0,0 +1,2007 @@ | |||
1 | /* | ||
2 | * DRBG: Deterministic Random Bits Generator | ||
3 | * Based on NIST Recommended DRBG from NIST SP800-90A with the following | ||
4 | * properties: | ||
5 | * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores | ||
6 | * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores | ||
7 | * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores | ||
8 | * * with and without prediction resistance | ||
9 | * | ||
10 | * Copyright Stephan Mueller <smueller@chronox.de>, 2014 | ||
11 | * | ||
12 | * Redistribution and use in source and binary forms, with or without | ||
13 | * modification, are permitted provided that the following conditions | ||
14 | * are met: | ||
15 | * 1. Redistributions of source code must retain the above copyright | ||
16 | * notice, and the entire permission notice in its entirety, | ||
17 | * including the disclaimer of warranties. | ||
18 | * 2. Redistributions in binary form must reproduce the above copyright | ||
19 | * notice, this list of conditions and the following disclaimer in the | ||
20 | * documentation and/or other materials provided with the distribution. | ||
21 | * 3. The name of the author may not be used to endorse or promote | ||
22 | * products derived from this software without specific prior | ||
23 | * written permission. | ||
24 | * | ||
25 | * ALTERNATIVELY, this product may be distributed under the terms of | ||
26 | * the GNU General Public License, in which case the provisions of the GPL are | ||
27 | * required INSTEAD OF the above restrictions. (This clause is | ||
28 | * necessary due to a potential bad interaction between the GPL and | ||
29 | * the restrictions contained in a BSD-style copyright.) | ||
30 | * | ||
31 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED | ||
32 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
33 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF | ||
34 | * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE | ||
35 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||
36 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT | ||
37 | * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | ||
38 | * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | ||
39 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
40 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE | ||
41 | * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH | ||
42 | * DAMAGE. | ||
43 | * | ||
44 | * DRBG Usage | ||
45 | * ========== | ||
46 | * The SP 800-90A DRBG allows the user to specify a personalization string | ||
47 | * for initialization as well as an additional information string for each | ||
48 | * random number request. The following code fragments show how a caller | ||
49 | * uses the kernel crypto API to use the full functionality of the DRBG. | ||
50 | * | ||
51 | * Usage without any additional data | ||
52 | * --------------------------------- | ||
53 | * struct crypto_rng *drng; | ||
54 | * int err; | ||
55 | * char data[DATALEN]; | ||
56 | * | ||
57 | * drng = crypto_alloc_rng(drng_name, 0, 0); | ||
58 | * err = crypto_rng_get_bytes(drng, &data, DATALEN); | ||
59 | * crypto_free_rng(drng); | ||
60 | * | ||
61 | * | ||
62 | * Usage with personalization string during initialization | ||
63 | * ------------------------------------------------------- | ||
64 | * struct crypto_rng *drng; | ||
65 | * int err; | ||
66 | * char data[DATALEN]; | ||
67 | * struct drbg_string pers; | ||
68 | * char personalization[11] = "some-string"; | ||
69 | * | ||
70 | * drbg_string_fill(&pers, personalization, strlen(personalization)); | ||
71 | * drng = crypto_alloc_rng(drng_name, 0, 0); | ||
72 | * // The reset completely re-initializes the DRBG with the provided | ||
73 | * // personalization string | ||
74 | * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); | ||
75 | * err = crypto_rng_get_bytes(drng, &data, DATALEN); | ||
76 | * crypto_free_rng(drng); | ||
77 | * | ||
78 | * | ||
79 | * Usage with additional information string during random number request | ||
80 | * --------------------------------------------------------------------- | ||
81 | * struct crypto_rng *drng; | ||
82 | * int err; | ||
83 | * char data[DATALEN]; | ||
84 | * char addtl_string[11] = "some-string"; | ||
85 | * string drbg_string addtl; | ||
86 | * | ||
87 | * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); | ||
88 | * drng = crypto_alloc_rng(drng_name, 0, 0); | ||
89 | * // The following call is a wrapper to crypto_rng_get_bytes() and returns | ||
90 | * // the same error codes. | ||
91 | * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); | ||
92 | * crypto_free_rng(drng); | ||
93 | * | ||
94 | * | ||
95 | * Usage with personalization and additional information strings | ||
96 | * ------------------------------------------------------------- | ||
97 | * Just mix both scenarios above. | ||
98 | */ | ||
99 | |||
100 | #include <crypto/drbg.h> | ||
101 | |||
102 | #if !defined(CONFIG_CRYPTO_DRBG_HASH) && \ | ||
103 | !defined(CONFIG_CRYPTO_DRBG_HMAC) && \ | ||
104 | !defined(CONFIG_CRYPTO_DRBG_CTR) | ||
105 | #warning "The DRBG code is useless without compiling at least one DRBG type" | ||
106 | #endif | ||
107 | |||
108 | /*************************************************************** | ||
109 | * Backend cipher definitions available to DRBG | ||
110 | ***************************************************************/ | ||
111 | |||
112 | /* | ||
113 | * The order of the DRBG definitions here matter: every DRBG is registered | ||
114 | * as stdrng. Each DRBG receives an increasing cra_priority values the later | ||
115 | * they are defined in this array (see drbg_fill_array). | ||
116 | * | ||
117 | * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and | ||
118 | * the SHA256 / AES 256 over other ciphers. Thus, the favored | ||
119 | * DRBGs are the latest entries in this array. | ||
120 | */ | ||
121 | static const struct drbg_core drbg_cores[] = { | ||
122 | #ifdef CONFIG_CRYPTO_DRBG_CTR | ||
123 | { | ||
124 | .flags = DRBG_CTR | DRBG_STRENGTH128, | ||
125 | .statelen = 32, /* 256 bits as defined in 10.2.1 */ | ||
126 | .max_addtllen = 35, | ||
127 | .max_bits = 19, | ||
128 | .max_req = 48, | ||
129 | .blocklen_bytes = 16, | ||
130 | .cra_name = "ctr_aes128", | ||
131 | .backend_cra_name = "ecb(aes)", | ||
132 | }, { | ||
133 | .flags = DRBG_CTR | DRBG_STRENGTH192, | ||
134 | .statelen = 40, /* 320 bits as defined in 10.2.1 */ | ||
135 | .max_addtllen = 35, | ||
136 | .max_bits = 19, | ||
137 | .max_req = 48, | ||
138 | .blocklen_bytes = 16, | ||
139 | .cra_name = "ctr_aes192", | ||
140 | .backend_cra_name = "ecb(aes)", | ||
141 | }, { | ||
142 | .flags = DRBG_CTR | DRBG_STRENGTH256, | ||
143 | .statelen = 48, /* 384 bits as defined in 10.2.1 */ | ||
144 | .max_addtllen = 35, | ||
145 | .max_bits = 19, | ||
146 | .max_req = 48, | ||
147 | .blocklen_bytes = 16, | ||
148 | .cra_name = "ctr_aes256", | ||
149 | .backend_cra_name = "ecb(aes)", | ||
150 | }, | ||
151 | #endif /* CONFIG_CRYPTO_DRBG_CTR */ | ||
152 | #ifdef CONFIG_CRYPTO_DRBG_HASH | ||
153 | { | ||
154 | .flags = DRBG_HASH | DRBG_STRENGTH128, | ||
155 | .statelen = 55, /* 440 bits */ | ||
156 | .max_addtllen = 35, | ||
157 | .max_bits = 19, | ||
158 | .max_req = 48, | ||
159 | .blocklen_bytes = 20, | ||
160 | .cra_name = "sha1", | ||
161 | .backend_cra_name = "sha1", | ||
162 | }, { | ||
163 | .flags = DRBG_HASH | DRBG_STRENGTH256, | ||
164 | .statelen = 111, /* 888 bits */ | ||
165 | .max_addtllen = 35, | ||
166 | .max_bits = 19, | ||
167 | .max_req = 48, | ||
168 | .blocklen_bytes = 48, | ||
169 | .cra_name = "sha384", | ||
170 | .backend_cra_name = "sha384", | ||
171 | }, { | ||
172 | .flags = DRBG_HASH | DRBG_STRENGTH256, | ||
173 | .statelen = 111, /* 888 bits */ | ||
174 | .max_addtllen = 35, | ||
175 | .max_bits = 19, | ||
176 | .max_req = 48, | ||
177 | .blocklen_bytes = 64, | ||
178 | .cra_name = "sha512", | ||
179 | .backend_cra_name = "sha512", | ||
180 | }, { | ||
181 | .flags = DRBG_HASH | DRBG_STRENGTH256, | ||
182 | .statelen = 55, /* 440 bits */ | ||
183 | .max_addtllen = 35, | ||
184 | .max_bits = 19, | ||
185 | .max_req = 48, | ||
186 | .blocklen_bytes = 32, | ||
187 | .cra_name = "sha256", | ||
188 | .backend_cra_name = "sha256", | ||
189 | }, | ||
190 | #endif /* CONFIG_CRYPTO_DRBG_HASH */ | ||
191 | #ifdef CONFIG_CRYPTO_DRBG_HMAC | ||
192 | { | ||
193 | .flags = DRBG_HMAC | DRBG_STRENGTH256, | ||
194 | .statelen = 20, /* block length of cipher */ | ||
195 | .max_addtllen = 35, | ||
196 | .max_bits = 19, | ||
197 | .max_req = 48, | ||
198 | .blocklen_bytes = 20, | ||
199 | .cra_name = "hmac_sha1", | ||
200 | .backend_cra_name = "hmac(sha1)", | ||
201 | }, { | ||
202 | .flags = DRBG_HMAC | DRBG_STRENGTH256, | ||
203 | .statelen = 48, /* block length of cipher */ | ||
204 | .max_addtllen = 35, | ||
205 | .max_bits = 19, | ||
206 | .max_req = 48, | ||
207 | .blocklen_bytes = 48, | ||
208 | .cra_name = "hmac_sha384", | ||
209 | .backend_cra_name = "hmac(sha384)", | ||
210 | }, { | ||
211 | .flags = DRBG_HMAC | DRBG_STRENGTH256, | ||
212 | .statelen = 64, /* block length of cipher */ | ||
213 | .max_addtllen = 35, | ||
214 | .max_bits = 19, | ||
215 | .max_req = 48, | ||
216 | .blocklen_bytes = 64, | ||
217 | .cra_name = "hmac_sha512", | ||
218 | .backend_cra_name = "hmac(sha512)", | ||
219 | }, { | ||
220 | .flags = DRBG_HMAC | DRBG_STRENGTH256, | ||
221 | .statelen = 32, /* block length of cipher */ | ||
222 | .max_addtllen = 35, | ||
223 | .max_bits = 19, | ||
224 | .max_req = 48, | ||
225 | .blocklen_bytes = 32, | ||
226 | .cra_name = "hmac_sha256", | ||
227 | .backend_cra_name = "hmac(sha256)", | ||
228 | }, | ||
229 | #endif /* CONFIG_CRYPTO_DRBG_HMAC */ | ||
230 | }; | ||
231 | |||
232 | /****************************************************************** | ||
233 | * Generic helper functions | ||
234 | ******************************************************************/ | ||
235 | |||
236 | /* | ||
237 | * Return strength of DRBG according to SP800-90A section 8.4 | ||
238 | * | ||
239 | * @flags DRBG flags reference | ||
240 | * | ||
241 | * Return: normalized strength in *bytes* value or 32 as default | ||
242 | * to counter programming errors | ||
243 | */ | ||
244 | static inline unsigned short drbg_sec_strength(drbg_flag_t flags) | ||
245 | { | ||
246 | switch (flags & DRBG_STRENGTH_MASK) { | ||
247 | case DRBG_STRENGTH128: | ||
248 | return 16; | ||
249 | case DRBG_STRENGTH192: | ||
250 | return 24; | ||
251 | case DRBG_STRENGTH256: | ||
252 | return 32; | ||
253 | default: | ||
254 | return 32; | ||
255 | } | ||
256 | } | ||
257 | |||
258 | /* | ||
259 | * FIPS 140-2 continuous self test | ||
260 | * The test is performed on the result of one round of the output | ||
261 | * function. Thus, the function implicitly knows the size of the | ||
262 | * buffer. | ||
263 | * | ||
264 | * The FIPS test can be called in an endless loop until it returns | ||
265 | * true. Although the code looks like a potential for a deadlock, it | ||
266 | * is not the case, because returning a false cannot mathematically | ||
267 | * occur (except once when a reseed took place and the updated state | ||
268 | * would is now set up such that the generation of new value returns | ||
269 | * an identical one -- this is most unlikely and would happen only once). | ||
270 | * Thus, if this function repeatedly returns false and thus would cause | ||
271 | * a deadlock, the integrity of the entire kernel is lost. | ||
272 | * | ||
273 | * @drbg DRBG handle | ||
274 | * @buf output buffer of random data to be checked | ||
275 | * | ||
276 | * return: | ||
277 | * true on success | ||
278 | * false on error | ||
279 | */ | ||
280 | static bool drbg_fips_continuous_test(struct drbg_state *drbg, | ||
281 | const unsigned char *buf) | ||
282 | { | ||
283 | #ifdef CONFIG_CRYPTO_FIPS | ||
284 | int ret = 0; | ||
285 | /* skip test if we test the overall system */ | ||
286 | if (drbg->test_data) | ||
287 | return true; | ||
288 | /* only perform test in FIPS mode */ | ||
289 | if (0 == fips_enabled) | ||
290 | return true; | ||
291 | if (!drbg->fips_primed) { | ||
292 | /* Priming of FIPS test */ | ||
293 | memcpy(drbg->prev, buf, drbg_blocklen(drbg)); | ||
294 | drbg->fips_primed = true; | ||
295 | /* return false due to priming, i.e. another round is needed */ | ||
296 | return false; | ||
297 | } | ||
298 | ret = memcmp(drbg->prev, buf, drbg_blocklen(drbg)); | ||
299 | memcpy(drbg->prev, buf, drbg_blocklen(drbg)); | ||
300 | /* the test shall pass when the two compared values are not equal */ | ||
301 | return ret != 0; | ||
302 | #else | ||
303 | return true; | ||
304 | #endif /* CONFIG_CRYPTO_FIPS */ | ||
305 | } | ||
306 | |||
307 | /* | ||
308 | * Convert an integer into a byte representation of this integer. | ||
309 | * The byte representation is big-endian | ||
310 | * | ||
311 | * @buf buffer holding the converted integer | ||
312 | * @val value to be converted | ||
313 | * @buflen length of buffer | ||
314 | */ | ||
315 | #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) | ||
316 | static inline void drbg_int2byte(unsigned char *buf, uint64_t val, | ||
317 | size_t buflen) | ||
318 | { | ||
319 | unsigned char *byte; | ||
320 | uint64_t i; | ||
321 | |||
322 | byte = buf + (buflen - 1); | ||
323 | for (i = 0; i < buflen; i++) | ||
324 | *(byte--) = val >> (i * 8) & 0xff; | ||
325 | } | ||
326 | |||
327 | /* | ||
328 | * Increment buffer | ||
329 | * | ||
330 | * @dst buffer to increment | ||
331 | * @add value to add | ||
332 | */ | ||
333 | static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, | ||
334 | const unsigned char *add, size_t addlen) | ||
335 | { | ||
336 | /* implied: dstlen > addlen */ | ||
337 | unsigned char *dstptr; | ||
338 | const unsigned char *addptr; | ||
339 | unsigned int remainder = 0; | ||
340 | size_t len = addlen; | ||
341 | |||
342 | dstptr = dst + (dstlen-1); | ||
343 | addptr = add + (addlen-1); | ||
344 | while (len) { | ||
345 | remainder += *dstptr + *addptr; | ||
346 | *dstptr = remainder & 0xff; | ||
347 | remainder >>= 8; | ||
348 | len--; dstptr--; addptr--; | ||
349 | } | ||
350 | len = dstlen - addlen; | ||
351 | while (len && remainder > 0) { | ||
352 | remainder = *dstptr + 1; | ||
353 | *dstptr = remainder & 0xff; | ||
354 | remainder >>= 8; | ||
355 | len--; dstptr--; | ||
356 | } | ||
357 | } | ||
358 | #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ | ||
359 | |||
360 | /****************************************************************** | ||
361 | * CTR DRBG callback functions | ||
362 | ******************************************************************/ | ||
363 | |||
364 | #ifdef CONFIG_CRYPTO_DRBG_CTR | ||
365 | static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, | ||
366 | unsigned char *outval, const struct drbg_string *in); | ||
367 | static int drbg_init_sym_kernel(struct drbg_state *drbg); | ||
368 | static int drbg_fini_sym_kernel(struct drbg_state *drbg); | ||
369 | |||
370 | /* BCC function for CTR DRBG as defined in 10.4.3 */ | ||
371 | static int drbg_ctr_bcc(struct drbg_state *drbg, | ||
372 | unsigned char *out, const unsigned char *key, | ||
373 | struct drbg_string *in) | ||
374 | { | ||
375 | int ret = -EFAULT; | ||
376 | struct drbg_string *curr = in; | ||
377 | size_t inpos = curr->len; | ||
378 | const unsigned char *pos = curr->buf; | ||
379 | struct drbg_string data; | ||
380 | |||
381 | drbg_string_fill(&data, out, drbg_blocklen(drbg)); | ||
382 | |||
383 | /* 10.4.3 step 1 */ | ||
384 | memset(out, 0, drbg_blocklen(drbg)); | ||
385 | |||
386 | /* 10.4.3 step 2 / 4 */ | ||
387 | while (inpos) { | ||
388 | short cnt = 0; | ||
389 | /* 10.4.3 step 4.1 */ | ||
390 | for (cnt = 0; cnt < drbg_blocklen(drbg); cnt++) { | ||
391 | out[cnt] ^= *pos; | ||
392 | pos++; inpos--; | ||
393 | /* | ||
394 | * The following branch implements the linked list | ||
395 | * iteration of drbg_string *in. If we are at the | ||
396 | * end of the current list member, we have to start | ||
397 | * using the next member if available. The inpos | ||
398 | * value always points to the current byte and will | ||
399 | * be zero if we have processed the last byte of | ||
400 | * the last linked list member. | ||
401 | */ | ||
402 | if (0 == inpos) { | ||
403 | curr = curr->next; | ||
404 | if (NULL != curr) { | ||
405 | pos = curr->buf; | ||
406 | inpos = curr->len; | ||
407 | } else { | ||
408 | inpos = 0; | ||
409 | break; | ||
410 | } | ||
411 | } | ||
412 | } | ||
413 | /* 10.4.3 step 4.2 */ | ||
414 | ret = drbg_kcapi_sym(drbg, key, out, &data); | ||
415 | if (ret) | ||
416 | return ret; | ||
417 | /* 10.4.3 step 2 */ | ||
418 | } | ||
419 | return 0; | ||
420 | } | ||
421 | |||
422 | /* | ||
423 | * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df | ||
424 | * (and drbg_ctr_bcc, but this function does not need any temporary buffers), | ||
425 | * the scratchpad is used as follows: | ||
426 | * drbg_ctr_update: | ||
427 | * temp | ||
428 | * start: drbg->scratchpad | ||
429 | * length: drbg_statelen(drbg) + drbg_blocklen(drbg) | ||
430 | * note: the cipher writing into this variable works | ||
431 | * blocklen-wise. Now, when the statelen is not a multiple | ||
432 | * of blocklen, the generateion loop below "spills over" | ||
433 | * by at most blocklen. Thus, we need to give sufficient | ||
434 | * memory. | ||
435 | * df_data | ||
436 | * start: drbg->scratchpad + | ||
437 | * drbg_statelen(drbg) + drbg_blocklen(drbg) | ||
438 | * length: drbg_statelen(drbg) | ||
439 | * | ||
440 | * drbg_ctr_df: | ||
441 | * pad | ||
442 | * start: df_data + drbg_statelen(drbg) | ||
443 | * length: drbg_blocklen(drbg) | ||
444 | * iv | ||
445 | * start: pad + drbg_blocklen(drbg) | ||
446 | * length: drbg_blocklen(drbg) | ||
447 | * temp | ||
448 | * start: iv + drbg_blocklen(drbg) | ||
449 | * length: (drbg_keylen(drbg) + drbg_blocklen(drbg) == | ||
450 | * drbg_statelen(drbg)) | ||
451 | */ | ||
452 | |||
453 | /* Derivation Function for CTR DRBG as defined in 10.4.2 */ | ||
454 | static int drbg_ctr_df(struct drbg_state *drbg, | ||
455 | unsigned char *df_data, size_t bytes_to_return, | ||
456 | struct drbg_string *addtl) | ||
457 | { | ||
458 | int ret = -EFAULT; | ||
459 | unsigned char L_N[8]; | ||
460 | /* S3 is input */ | ||
461 | struct drbg_string S1, S2, S4, cipherin; | ||
462 | struct drbg_string *tempstr = addtl; | ||
463 | unsigned char *pad = df_data + drbg_statelen(drbg); | ||
464 | unsigned char *iv = pad + drbg_blocklen(drbg); | ||
465 | unsigned char *temp = iv + drbg_blocklen(drbg); | ||
466 | size_t padlen = 0; | ||
467 | unsigned int templen = 0; | ||
468 | /* 10.4.2 step 7 */ | ||
469 | unsigned int i = 0; | ||
470 | /* 10.4.2 step 8 */ | ||
471 | const unsigned char *K = (unsigned char *) | ||
472 | "\x00\x01\x02\x03\x04\x05\x06\x07" | ||
473 | "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" | ||
474 | "\x10\x11\x12\x13\x14\x15\x16\x17" | ||
475 | "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; | ||
476 | unsigned char *X; | ||
477 | size_t generated_len = 0; | ||
478 | size_t inputlen = 0; | ||
479 | |||
480 | memset(pad, 0, drbg_blocklen(drbg)); | ||
481 | memset(iv, 0, drbg_blocklen(drbg)); | ||
482 | memset(temp, 0, drbg_statelen(drbg)); | ||
483 | |||
484 | /* 10.4.2 step 1 is implicit as we work byte-wise */ | ||
485 | |||
486 | /* 10.4.2 step 2 */ | ||
487 | if ((512/8) < bytes_to_return) | ||
488 | return -EINVAL; | ||
489 | |||
490 | /* 10.4.2 step 2 -- calculate the entire length of all input data */ | ||
491 | for (; NULL != tempstr; tempstr = tempstr->next) | ||
492 | inputlen += tempstr->len; | ||
493 | drbg_int2byte(&L_N[0], inputlen, 4); | ||
494 | |||
495 | /* 10.4.2 step 3 */ | ||
496 | drbg_int2byte(&L_N[4], bytes_to_return, 4); | ||
497 | |||
498 | /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ | ||
499 | padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); | ||
500 | /* wrap the padlen appropriately */ | ||
501 | if (padlen) | ||
502 | padlen = drbg_blocklen(drbg) - padlen; | ||
503 | /* | ||
504 | * pad / padlen contains the 0x80 byte and the following zero bytes. | ||
505 | * As the calculated padlen value only covers the number of zero | ||
506 | * bytes, this value has to be incremented by one for the 0x80 byte. | ||
507 | */ | ||
508 | padlen++; | ||
509 | pad[0] = 0x80; | ||
510 | |||
511 | /* 10.4.2 step 4 -- first fill the linked list and then order it */ | ||
512 | drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); | ||
513 | drbg_string_fill(&S2, L_N, sizeof(L_N)); | ||
514 | drbg_string_fill(&S4, pad, padlen); | ||
515 | S1.next = &S2; | ||
516 | S2.next = addtl; | ||
517 | |||
518 | /* | ||
519 | * splice in addtl between S2 and S4 -- we place S4 at the end of the | ||
520 | * input data chain | ||
521 | */ | ||
522 | tempstr = addtl; | ||
523 | for (; NULL != tempstr; tempstr = tempstr->next) | ||
524 | if (NULL == tempstr->next) | ||
525 | break; | ||
526 | tempstr->next = &S4; | ||
527 | |||
528 | /* 10.4.2 step 9 */ | ||
529 | while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { | ||
530 | /* | ||
531 | * 10.4.2 step 9.1 - the padding is implicit as the buffer | ||
532 | * holds zeros after allocation -- even the increment of i | ||
533 | * is irrelevant as the increment remains within length of i | ||
534 | */ | ||
535 | drbg_int2byte(iv, i, 4); | ||
536 | /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ | ||
537 | ret = drbg_ctr_bcc(drbg, temp + templen, K, &S1); | ||
538 | if (ret) | ||
539 | goto out; | ||
540 | /* 10.4.2 step 9.3 */ | ||
541 | i++; | ||
542 | templen += drbg_blocklen(drbg); | ||
543 | } | ||
544 | |||
545 | /* 10.4.2 step 11 */ | ||
546 | X = temp + (drbg_keylen(drbg)); | ||
547 | drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); | ||
548 | |||
549 | /* 10.4.2 step 12: overwriting of outval is implemented in next step */ | ||
550 | |||
551 | /* 10.4.2 step 13 */ | ||
552 | while (generated_len < bytes_to_return) { | ||
553 | short blocklen = 0; | ||
554 | /* | ||
555 | * 10.4.2 step 13.1: the truncation of the key length is | ||
556 | * implicit as the key is only drbg_blocklen in size based on | ||
557 | * the implementation of the cipher function callback | ||
558 | */ | ||
559 | ret = drbg_kcapi_sym(drbg, temp, X, &cipherin); | ||
560 | if (ret) | ||
561 | goto out; | ||
562 | blocklen = (drbg_blocklen(drbg) < | ||
563 | (bytes_to_return - generated_len)) ? | ||
564 | drbg_blocklen(drbg) : | ||
565 | (bytes_to_return - generated_len); | ||
566 | /* 10.4.2 step 13.2 and 14 */ | ||
567 | memcpy(df_data + generated_len, X, blocklen); | ||
568 | generated_len += blocklen; | ||
569 | } | ||
570 | |||
571 | ret = 0; | ||
572 | |||
573 | out: | ||
574 | memset(iv, 0, drbg_blocklen(drbg)); | ||
575 | memset(temp, 0, drbg_statelen(drbg)); | ||
576 | memset(pad, 0, drbg_blocklen(drbg)); | ||
577 | return ret; | ||
578 | } | ||
579 | |||
580 | /* update function of CTR DRBG as defined in 10.2.1.2 */ | ||
581 | static int drbg_ctr_update(struct drbg_state *drbg, | ||
582 | struct drbg_string *addtl, int reseed) | ||
583 | { | ||
584 | int ret = -EFAULT; | ||
585 | /* 10.2.1.2 step 1 */ | ||
586 | unsigned char *temp = drbg->scratchpad; | ||
587 | unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + | ||
588 | drbg_blocklen(drbg); | ||
589 | unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */ | ||
590 | unsigned int len = 0; | ||
591 | struct drbg_string cipherin; | ||
592 | unsigned char prefix = DRBG_PREFIX1; | ||
593 | |||
594 | memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); | ||
595 | memset(df_data, 0, drbg_statelen(drbg)); | ||
596 | |||
597 | /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ | ||
598 | if (addtl && 0 < addtl->len) { | ||
599 | ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), | ||
600 | addtl); | ||
601 | if (ret) | ||
602 | goto out; | ||
603 | } | ||
604 | |||
605 | drbg_string_fill(&cipherin, drbg->V, drbg_blocklen(drbg)); | ||
606 | /* | ||
607 | * 10.2.1.3.2 steps 2 and 3 are already covered as the allocation | ||
608 | * zeroizes all memory during initialization | ||
609 | */ | ||
610 | while (len < (drbg_statelen(drbg))) { | ||
611 | /* 10.2.1.2 step 2.1 */ | ||
612 | drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1); | ||
613 | /* | ||
614 | * 10.2.1.2 step 2.2 */ | ||
615 | ret = drbg_kcapi_sym(drbg, drbg->C, temp + len, &cipherin); | ||
616 | if (ret) | ||
617 | goto out; | ||
618 | /* 10.2.1.2 step 2.3 and 3 */ | ||
619 | len += drbg_blocklen(drbg); | ||
620 | } | ||
621 | |||
622 | /* 10.2.1.2 step 4 */ | ||
623 | temp_p = temp; | ||
624 | df_data_p = df_data; | ||
625 | for (len = 0; len < drbg_statelen(drbg); len++) { | ||
626 | *temp_p ^= *df_data_p; | ||
627 | df_data_p++; temp_p++; | ||
628 | } | ||
629 | |||
630 | /* 10.2.1.2 step 5 */ | ||
631 | memcpy(drbg->C, temp, drbg_keylen(drbg)); | ||
632 | /* 10.2.1.2 step 6 */ | ||
633 | memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); | ||
634 | ret = 0; | ||
635 | |||
636 | out: | ||
637 | memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); | ||
638 | memset(df_data, 0, drbg_statelen(drbg)); | ||
639 | return ret; | ||
640 | } | ||
641 | |||
642 | /* | ||
643 | * scratchpad use: drbg_ctr_update is called independently from | ||
644 | * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused | ||
645 | */ | ||
646 | /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ | ||
647 | static int drbg_ctr_generate(struct drbg_state *drbg, | ||
648 | unsigned char *buf, unsigned int buflen, | ||
649 | struct drbg_string *addtl) | ||
650 | { | ||
651 | int len = 0; | ||
652 | int ret = 0; | ||
653 | struct drbg_string data; | ||
654 | unsigned char prefix = DRBG_PREFIX1; | ||
655 | |||
656 | memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); | ||
657 | |||
658 | /* 10.2.1.5.2 step 2 */ | ||
659 | if (addtl && 0 < addtl->len) { | ||
660 | addtl->next = NULL; | ||
661 | ret = drbg_ctr_update(drbg, addtl, 1); | ||
662 | if (ret) | ||
663 | return 0; | ||
664 | } | ||
665 | |||
666 | /* 10.2.1.5.2 step 4.1 */ | ||
667 | drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1); | ||
668 | drbg_string_fill(&data, drbg->V, drbg_blocklen(drbg)); | ||
669 | while (len < buflen) { | ||
670 | int outlen = 0; | ||
671 | /* 10.2.1.5.2 step 4.2 */ | ||
672 | ret = drbg_kcapi_sym(drbg, drbg->C, drbg->scratchpad, &data); | ||
673 | if (ret) { | ||
674 | len = ret; | ||
675 | goto out; | ||
676 | } | ||
677 | outlen = (drbg_blocklen(drbg) < (buflen - len)) ? | ||
678 | drbg_blocklen(drbg) : (buflen - len); | ||
679 | if (!drbg_fips_continuous_test(drbg, drbg->scratchpad)) { | ||
680 | /* 10.2.1.5.2 step 6 */ | ||
681 | drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1); | ||
682 | continue; | ||
683 | } | ||
684 | /* 10.2.1.5.2 step 4.3 */ | ||
685 | memcpy(buf + len, drbg->scratchpad, outlen); | ||
686 | len += outlen; | ||
687 | /* 10.2.1.5.2 step 6 */ | ||
688 | if (len < buflen) | ||
689 | drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1); | ||
690 | } | ||
691 | |||
692 | /* 10.2.1.5.2 step 6 */ | ||
693 | if (addtl) | ||
694 | addtl->next = NULL; | ||
695 | /* | ||
696 | * The following call invokes the DF function again which could be | ||
697 | * optimized. In step 2, the "additional_input" after step 2 is the | ||
698 | * output of the DF function. If this result would be saved, the DF | ||
699 | * function would not need to be invoked again at this point. | ||
700 | */ | ||
701 | ret = drbg_ctr_update(drbg, addtl, 1); | ||
702 | if (ret) | ||
703 | len = ret; | ||
704 | |||
705 | out: | ||
706 | memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); | ||
707 | return len; | ||
708 | } | ||
709 | |||
710 | static struct drbg_state_ops drbg_ctr_ops = { | ||
711 | .update = drbg_ctr_update, | ||
712 | .generate = drbg_ctr_generate, | ||
713 | .crypto_init = drbg_init_sym_kernel, | ||
714 | .crypto_fini = drbg_fini_sym_kernel, | ||
715 | }; | ||
716 | #endif /* CONFIG_CRYPTO_DRBG_CTR */ | ||
717 | |||
718 | /****************************************************************** | ||
719 | * HMAC DRBG callback functions | ||
720 | ******************************************************************/ | ||
721 | |||
722 | #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) | ||
723 | static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, | ||
724 | unsigned char *outval, const struct drbg_string *in); | ||
725 | static int drbg_init_hash_kernel(struct drbg_state *drbg); | ||
726 | static int drbg_fini_hash_kernel(struct drbg_state *drbg); | ||
727 | #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ | ||
728 | |||
729 | #ifdef CONFIG_CRYPTO_DRBG_HMAC | ||
730 | /* update function of HMAC DRBG as defined in 10.1.2.2 */ | ||
731 | static int drbg_hmac_update(struct drbg_state *drbg, | ||
732 | struct drbg_string *seed, int reseed) | ||
733 | { | ||
734 | int ret = -EFAULT; | ||
735 | int i = 0; | ||
736 | struct drbg_string seed1, seed2, cipherin; | ||
737 | |||
738 | if (!reseed) { | ||
739 | /* 10.1.2.3 step 2 */ | ||
740 | memset(drbg->C, 0, drbg_statelen(drbg)); | ||
741 | memset(drbg->V, 1, drbg_statelen(drbg)); | ||
742 | } | ||
743 | |||
744 | drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); | ||
745 | /* buffer of seed2 will be filled in for loop below with one byte */ | ||
746 | drbg_string_fill(&seed2, NULL, 1); | ||
747 | seed1.next = &seed2; | ||
748 | /* input data of seed is allowed to be NULL at this point */ | ||
749 | seed2.next = seed; | ||
750 | |||
751 | drbg_string_fill(&cipherin, drbg->V, drbg_statelen(drbg)); | ||
752 | for (i = 2; 0 < i; i--) { | ||
753 | /* first round uses 0x0, second 0x1 */ | ||
754 | unsigned char prefix = DRBG_PREFIX0; | ||
755 | if (1 == i) | ||
756 | prefix = DRBG_PREFIX1; | ||
757 | /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ | ||
758 | seed2.buf = &prefix; | ||
759 | ret = drbg_kcapi_hash(drbg, drbg->C, drbg->C, &seed1); | ||
760 | if (ret) | ||
761 | return ret; | ||
762 | |||
763 | /* 10.1.2.2 step 2 and 5 -- HMAC for V */ | ||
764 | ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &cipherin); | ||
765 | if (ret) | ||
766 | return ret; | ||
767 | |||
768 | /* 10.1.2.2 step 3 */ | ||
769 | if (!seed || 0 == seed->len) | ||
770 | return ret; | ||
771 | } | ||
772 | |||
773 | return 0; | ||
774 | } | ||
775 | |||
776 | /* generate function of HMAC DRBG as defined in 10.1.2.5 */ | ||
777 | static int drbg_hmac_generate(struct drbg_state *drbg, | ||
778 | unsigned char *buf, | ||
779 | unsigned int buflen, | ||
780 | struct drbg_string *addtl) | ||
781 | { | ||
782 | int len = 0; | ||
783 | int ret = 0; | ||
784 | struct drbg_string data; | ||
785 | |||
786 | /* 10.1.2.5 step 2 */ | ||
787 | if (addtl && 0 < addtl->len) { | ||
788 | addtl->next = NULL; | ||
789 | ret = drbg_hmac_update(drbg, addtl, 1); | ||
790 | if (ret) | ||
791 | return ret; | ||
792 | } | ||
793 | |||
794 | drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); | ||
795 | while (len < buflen) { | ||
796 | unsigned int outlen = 0; | ||
797 | /* 10.1.2.5 step 4.1 */ | ||
798 | ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &data); | ||
799 | if (ret) | ||
800 | return ret; | ||
801 | outlen = (drbg_blocklen(drbg) < (buflen - len)) ? | ||
802 | drbg_blocklen(drbg) : (buflen - len); | ||
803 | if (!drbg_fips_continuous_test(drbg, drbg->V)) | ||
804 | continue; | ||
805 | |||
806 | /* 10.1.2.5 step 4.2 */ | ||
807 | memcpy(buf + len, drbg->V, outlen); | ||
808 | len += outlen; | ||
809 | } | ||
810 | |||
811 | /* 10.1.2.5 step 6 */ | ||
812 | if (addtl) | ||
813 | addtl->next = NULL; | ||
814 | ret = drbg_hmac_update(drbg, addtl, 1); | ||
815 | if (ret) | ||
816 | return ret; | ||
817 | |||
818 | return len; | ||
819 | } | ||
820 | |||
821 | static struct drbg_state_ops drbg_hmac_ops = { | ||
822 | .update = drbg_hmac_update, | ||
823 | .generate = drbg_hmac_generate, | ||
824 | .crypto_init = drbg_init_hash_kernel, | ||
825 | .crypto_fini = drbg_fini_hash_kernel, | ||
826 | |||
827 | }; | ||
828 | #endif /* CONFIG_CRYPTO_DRBG_HMAC */ | ||
829 | |||
830 | /****************************************************************** | ||
831 | * Hash DRBG callback functions | ||
832 | ******************************************************************/ | ||
833 | |||
834 | #ifdef CONFIG_CRYPTO_DRBG_HASH | ||
835 | /* | ||
836 | * scratchpad usage: as drbg_hash_update and drbg_hash_df are used | ||
837 | * interlinked, the scratchpad is used as follows: | ||
838 | * drbg_hash_update | ||
839 | * start: drbg->scratchpad | ||
840 | * length: drbg_statelen(drbg) | ||
841 | * drbg_hash_df: | ||
842 | * start: drbg->scratchpad + drbg_statelen(drbg) | ||
843 | * length: drbg_blocklen(drbg) | ||
844 | * | ||
845 | * drbg_hash_process_addtl uses the scratchpad, but fully completes | ||
846 | * before either of the functions mentioned before are invoked. Therefore, | ||
847 | * drbg_hash_process_addtl does not need to be specifically considered. | ||
848 | */ | ||
849 | |||
850 | /* Derivation Function for Hash DRBG as defined in 10.4.1 */ | ||
851 | static int drbg_hash_df(struct drbg_state *drbg, | ||
852 | unsigned char *outval, size_t outlen, | ||
853 | struct drbg_string *entropy) | ||
854 | { | ||
855 | int ret = 0; | ||
856 | size_t len = 0; | ||
857 | unsigned char input[5]; | ||
858 | unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); | ||
859 | struct drbg_string data1; | ||
860 | |||
861 | memset(tmp, 0, drbg_blocklen(drbg)); | ||
862 | |||
863 | /* 10.4.1 step 3 */ | ||
864 | input[0] = 1; | ||
865 | drbg_int2byte(&input[1], (outlen * 8), 4); | ||
866 | |||
867 | /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ | ||
868 | drbg_string_fill(&data1, input, 5); | ||
869 | data1.next = entropy; | ||
870 | |||
871 | /* 10.4.1 step 4 */ | ||
872 | while (len < outlen) { | ||
873 | short blocklen = 0; | ||
874 | /* 10.4.1 step 4.1 */ | ||
875 | ret = drbg_kcapi_hash(drbg, NULL, tmp, &data1); | ||
876 | if (ret) | ||
877 | goto out; | ||
878 | /* 10.4.1 step 4.2 */ | ||
879 | input[0]++; | ||
880 | blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? | ||
881 | drbg_blocklen(drbg) : (outlen - len); | ||
882 | memcpy(outval + len, tmp, blocklen); | ||
883 | len += blocklen; | ||
884 | } | ||
885 | |||
886 | out: | ||
887 | memset(tmp, 0, drbg_blocklen(drbg)); | ||
888 | return ret; | ||
889 | } | ||
890 | |||
891 | /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ | ||
892 | static int drbg_hash_update(struct drbg_state *drbg, struct drbg_string *seed, | ||
893 | int reseed) | ||
894 | { | ||
895 | int ret = 0; | ||
896 | struct drbg_string data1, data2; | ||
897 | unsigned char *V = drbg->scratchpad; | ||
898 | unsigned char prefix = DRBG_PREFIX1; | ||
899 | |||
900 | memset(drbg->scratchpad, 0, drbg_statelen(drbg)); | ||
901 | if (!seed) | ||
902 | return -EINVAL; | ||
903 | |||
904 | if (reseed) { | ||
905 | /* 10.1.1.3 step 1 */ | ||
906 | memcpy(V, drbg->V, drbg_statelen(drbg)); | ||
907 | drbg_string_fill(&data1, &prefix, 1); | ||
908 | drbg_string_fill(&data2, V, drbg_statelen(drbg)); | ||
909 | data1.next = &data2; | ||
910 | data2.next = seed; | ||
911 | } else { | ||
912 | drbg_string_fill(&data1, seed->buf, seed->len); | ||
913 | data1.next = seed->next; | ||
914 | } | ||
915 | |||
916 | /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ | ||
917 | ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &data1); | ||
918 | if (ret) | ||
919 | goto out; | ||
920 | |||
921 | /* 10.1.1.2 / 10.1.1.3 step 4 */ | ||
922 | prefix = DRBG_PREFIX0; | ||
923 | drbg_string_fill(&data1, &prefix, 1); | ||
924 | drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); | ||
925 | data1.next = &data2; | ||
926 | /* 10.1.1.2 / 10.1.1.3 step 4 */ | ||
927 | ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &data1); | ||
928 | |||
929 | out: | ||
930 | memset(drbg->scratchpad, 0, drbg_statelen(drbg)); | ||
931 | return ret; | ||
932 | } | ||
933 | |||
934 | /* processing of additional information string for Hash DRBG */ | ||
935 | static int drbg_hash_process_addtl(struct drbg_state *drbg, | ||
936 | struct drbg_string *addtl) | ||
937 | { | ||
938 | int ret = 0; | ||
939 | struct drbg_string data1, data2; | ||
940 | struct drbg_string *data3; | ||
941 | unsigned char prefix = DRBG_PREFIX2; | ||
942 | |||
943 | /* this is value w as per documentation */ | ||
944 | memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); | ||
945 | |||
946 | /* 10.1.1.4 step 2 */ | ||
947 | if (!addtl || 0 == addtl->len) | ||
948 | return 0; | ||
949 | |||
950 | /* 10.1.1.4 step 2a */ | ||
951 | drbg_string_fill(&data1, &prefix, 1); | ||
952 | drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); | ||
953 | data3 = addtl; | ||
954 | data1.next = &data2; | ||
955 | data2.next = data3; | ||
956 | data3->next = NULL; | ||
957 | ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &data1); | ||
958 | if (ret) | ||
959 | goto out; | ||
960 | |||
961 | /* 10.1.1.4 step 2b */ | ||
962 | drbg_add_buf(drbg->V, drbg_statelen(drbg), | ||
963 | drbg->scratchpad, drbg_blocklen(drbg)); | ||
964 | |||
965 | out: | ||
966 | memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); | ||
967 | return ret; | ||
968 | } | ||
969 | |||
970 | /* Hashgen defined in 10.1.1.4 */ | ||
971 | static int drbg_hash_hashgen(struct drbg_state *drbg, | ||
972 | unsigned char *buf, | ||
973 | unsigned int buflen) | ||
974 | { | ||
975 | int len = 0; | ||
976 | int ret = 0; | ||
977 | unsigned char *src = drbg->scratchpad; | ||
978 | unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); | ||
979 | struct drbg_string data; | ||
980 | unsigned char prefix = DRBG_PREFIX1; | ||
981 | |||
982 | memset(src, 0, drbg_statelen(drbg)); | ||
983 | memset(dst, 0, drbg_blocklen(drbg)); | ||
984 | |||
985 | /* 10.1.1.4 step hashgen 2 */ | ||
986 | memcpy(src, drbg->V, drbg_statelen(drbg)); | ||
987 | |||
988 | drbg_string_fill(&data, src, drbg_statelen(drbg)); | ||
989 | while (len < buflen) { | ||
990 | unsigned int outlen = 0; | ||
991 | /* 10.1.1.4 step hashgen 4.1 */ | ||
992 | ret = drbg_kcapi_hash(drbg, NULL, dst, &data); | ||
993 | if (ret) { | ||
994 | len = ret; | ||
995 | goto out; | ||
996 | } | ||
997 | outlen = (drbg_blocklen(drbg) < (buflen - len)) ? | ||
998 | drbg_blocklen(drbg) : (buflen - len); | ||
999 | if (!drbg_fips_continuous_test(drbg, dst)) { | ||
1000 | drbg_add_buf(src, drbg_statelen(drbg), &prefix, 1); | ||
1001 | continue; | ||
1002 | } | ||
1003 | /* 10.1.1.4 step hashgen 4.2 */ | ||
1004 | memcpy(buf + len, dst, outlen); | ||
1005 | len += outlen; | ||
1006 | /* 10.1.1.4 hashgen step 4.3 */ | ||
1007 | if (len < buflen) | ||
1008 | drbg_add_buf(src, drbg_statelen(drbg), &prefix, 1); | ||
1009 | } | ||
1010 | |||
1011 | out: | ||
1012 | memset(drbg->scratchpad, 0, | ||
1013 | (drbg_statelen(drbg) + drbg_blocklen(drbg))); | ||
1014 | return len; | ||
1015 | } | ||
1016 | |||
1017 | /* generate function for Hash DRBG as defined in 10.1.1.4 */ | ||
1018 | static int drbg_hash_generate(struct drbg_state *drbg, | ||
1019 | unsigned char *buf, unsigned int buflen, | ||
1020 | struct drbg_string *addtl) | ||
1021 | { | ||
1022 | int len = 0; | ||
1023 | int ret = 0; | ||
1024 | unsigned char req[8]; | ||
1025 | unsigned char prefix = DRBG_PREFIX3; | ||
1026 | struct drbg_string data1, data2; | ||
1027 | |||
1028 | /* 10.1.1.4 step 2 */ | ||
1029 | ret = drbg_hash_process_addtl(drbg, addtl); | ||
1030 | if (ret) | ||
1031 | return ret; | ||
1032 | /* 10.1.1.4 step 3 */ | ||
1033 | len = drbg_hash_hashgen(drbg, buf, buflen); | ||
1034 | |||
1035 | /* this is the value H as documented in 10.1.1.4 */ | ||
1036 | memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); | ||
1037 | /* 10.1.1.4 step 4 */ | ||
1038 | drbg_string_fill(&data1, &prefix, 1); | ||
1039 | drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); | ||
1040 | data1.next = &data2; | ||
1041 | ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &data1); | ||
1042 | if (ret) { | ||
1043 | len = ret; | ||
1044 | goto out; | ||
1045 | } | ||
1046 | |||
1047 | /* 10.1.1.4 step 5 */ | ||
1048 | drbg_add_buf(drbg->V, drbg_statelen(drbg), | ||
1049 | drbg->scratchpad, drbg_blocklen(drbg)); | ||
1050 | drbg_add_buf(drbg->V, drbg_statelen(drbg), | ||
1051 | drbg->C, drbg_statelen(drbg)); | ||
1052 | drbg_int2byte(req, drbg->reseed_ctr, sizeof(req)); | ||
1053 | drbg_add_buf(drbg->V, drbg_statelen(drbg), req, 8); | ||
1054 | |||
1055 | out: | ||
1056 | memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); | ||
1057 | return len; | ||
1058 | } | ||
1059 | |||
1060 | /* | ||
1061 | * scratchpad usage: as update and generate are used isolated, both | ||
1062 | * can use the scratchpad | ||
1063 | */ | ||
1064 | static struct drbg_state_ops drbg_hash_ops = { | ||
1065 | .update = drbg_hash_update, | ||
1066 | .generate = drbg_hash_generate, | ||
1067 | .crypto_init = drbg_init_hash_kernel, | ||
1068 | .crypto_fini = drbg_fini_hash_kernel, | ||
1069 | }; | ||
1070 | #endif /* CONFIG_CRYPTO_DRBG_HASH */ | ||
1071 | |||
1072 | /****************************************************************** | ||
1073 | * Functions common for DRBG implementations | ||
1074 | ******************************************************************/ | ||
1075 | |||
1076 | /* | ||
1077 | * Seeding or reseeding of the DRBG | ||
1078 | * | ||
1079 | * @drbg: DRBG state struct | ||
1080 | * @pers: personalization / additional information buffer | ||
1081 | * @reseed: 0 for initial seed process, 1 for reseeding | ||
1082 | * | ||
1083 | * return: | ||
1084 | * 0 on success | ||
1085 | * error value otherwise | ||
1086 | */ | ||
1087 | static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, | ||
1088 | bool reseed) | ||
1089 | { | ||
1090 | int ret = 0; | ||
1091 | unsigned char *entropy = NULL; | ||
1092 | size_t entropylen = 0; | ||
1093 | struct drbg_string data1; | ||
1094 | |||
1095 | /* 9.1 / 9.2 / 9.3.1 step 3 */ | ||
1096 | if (pers && pers->len > (drbg_max_addtl(drbg))) { | ||
1097 | pr_devel("DRBG: personalization string too long %lu\n", | ||
1098 | pers->len); | ||
1099 | return -EINVAL; | ||
1100 | } | ||
1101 | |||
1102 | if (drbg->test_data && drbg->test_data->testentropy) { | ||
1103 | drbg_string_fill(&data1, drbg->test_data->testentropy->buf, | ||
1104 | drbg->test_data->testentropy->len); | ||
1105 | pr_devel("DRBG: using test entropy\n"); | ||
1106 | } else { | ||
1107 | /* | ||
1108 | * Gather entropy equal to the security strength of the DRBG. | ||
1109 | * With a derivation function, a nonce is required in addition | ||
1110 | * to the entropy. A nonce must be at least 1/2 of the security | ||
1111 | * strength of the DRBG in size. Thus, entropy * nonce is 3/2 | ||
1112 | * of the strength. The consideration of a nonce is only | ||
1113 | * applicable during initial seeding. | ||
1114 | */ | ||
1115 | entropylen = drbg_sec_strength(drbg->core->flags); | ||
1116 | if (!entropylen) | ||
1117 | return -EFAULT; | ||
1118 | if (!reseed) | ||
1119 | entropylen = ((entropylen + 1) / 2) * 3; | ||
1120 | pr_devel("DRBG: (re)seeding with %zu bytes of entropy\n", | ||
1121 | entropylen); | ||
1122 | entropy = kzalloc(entropylen, GFP_KERNEL); | ||
1123 | if (!entropy) | ||
1124 | return -ENOMEM; | ||
1125 | get_random_bytes(entropy, entropylen); | ||
1126 | drbg_string_fill(&data1, entropy, entropylen); | ||
1127 | } | ||
1128 | |||
1129 | /* | ||
1130 | * concatenation of entropy with personalization str / addtl input) | ||
1131 | * the variable pers is directly handed in by the caller, so check its | ||
1132 | * contents whether it is appropriate | ||
1133 | */ | ||
1134 | if (pers && pers->buf && 0 < pers->len && NULL == pers->next) { | ||
1135 | data1.next = pers; | ||
1136 | pr_devel("DRBG: using personalization string\n"); | ||
1137 | } | ||
1138 | |||
1139 | ret = drbg->d_ops->update(drbg, &data1, reseed); | ||
1140 | if (ret) | ||
1141 | goto out; | ||
1142 | |||
1143 | drbg->seeded = true; | ||
1144 | /* 10.1.1.2 / 10.1.1.3 step 5 */ | ||
1145 | drbg->reseed_ctr = 1; | ||
1146 | |||
1147 | out: | ||
1148 | if (entropy) | ||
1149 | kzfree(entropy); | ||
1150 | return ret; | ||
1151 | } | ||
1152 | |||
1153 | /* Free all substructures in a DRBG state without the DRBG state structure */ | ||
1154 | static inline void drbg_dealloc_state(struct drbg_state *drbg) | ||
1155 | { | ||
1156 | if (!drbg) | ||
1157 | return; | ||
1158 | if (drbg->V) | ||
1159 | kzfree(drbg->V); | ||
1160 | drbg->V = NULL; | ||
1161 | if (drbg->C) | ||
1162 | kzfree(drbg->C); | ||
1163 | drbg->C = NULL; | ||
1164 | if (drbg->scratchpad) | ||
1165 | kzfree(drbg->scratchpad); | ||
1166 | drbg->scratchpad = NULL; | ||
1167 | drbg->reseed_ctr = 0; | ||
1168 | #ifdef CONFIG_CRYPTO_FIPS | ||
1169 | if (drbg->prev) | ||
1170 | kzfree(drbg->prev); | ||
1171 | drbg->prev = NULL; | ||
1172 | drbg->fips_primed = false; | ||
1173 | #endif | ||
1174 | } | ||
1175 | |||
1176 | /* | ||
1177 | * Allocate all sub-structures for a DRBG state. | ||
1178 | * The DRBG state structure must already be allocated. | ||
1179 | */ | ||
1180 | static inline int drbg_alloc_state(struct drbg_state *drbg) | ||
1181 | { | ||
1182 | int ret = -ENOMEM; | ||
1183 | unsigned int sb_size = 0; | ||
1184 | |||
1185 | if (!drbg) | ||
1186 | return -EINVAL; | ||
1187 | |||
1188 | drbg->V = kzalloc(drbg_statelen(drbg), GFP_KERNEL); | ||
1189 | if (!drbg->V) | ||
1190 | goto err; | ||
1191 | drbg->C = kzalloc(drbg_statelen(drbg), GFP_KERNEL); | ||
1192 | if (!drbg->C) | ||
1193 | goto err; | ||
1194 | #ifdef CONFIG_CRYPTO_FIPS | ||
1195 | drbg->prev = kzalloc(drbg_blocklen(drbg), GFP_KERNEL); | ||
1196 | if (!drbg->prev) | ||
1197 | goto err; | ||
1198 | drbg->fips_primed = false; | ||
1199 | #endif | ||
1200 | /* scratchpad is only generated for CTR and Hash */ | ||
1201 | if (drbg->core->flags & DRBG_HMAC) | ||
1202 | sb_size = 0; | ||
1203 | else if (drbg->core->flags & DRBG_CTR) | ||
1204 | sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ | ||
1205 | drbg_statelen(drbg) + /* df_data */ | ||
1206 | drbg_blocklen(drbg) + /* pad */ | ||
1207 | drbg_blocklen(drbg) + /* iv */ | ||
1208 | drbg_statelen(drbg); /* temp */ | ||
1209 | else | ||
1210 | sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); | ||
1211 | |||
1212 | if (0 < sb_size) { | ||
1213 | drbg->scratchpad = kzalloc(sb_size, GFP_KERNEL); | ||
1214 | if (!drbg->scratchpad) | ||
1215 | goto err; | ||
1216 | } | ||
1217 | spin_lock_init(&drbg->drbg_lock); | ||
1218 | return 0; | ||
1219 | |||
1220 | err: | ||
1221 | drbg_dealloc_state(drbg); | ||
1222 | return ret; | ||
1223 | } | ||
1224 | |||
1225 | /* | ||
1226 | * Strategy to avoid holding long term locks: generate a shadow copy of DRBG | ||
1227 | * and perform all operations on this shadow copy. After finishing, restore | ||
1228 | * the updated state of the shadow copy into original drbg state. This way, | ||
1229 | * only the read and write operations of the original drbg state must be | ||
1230 | * locked | ||
1231 | */ | ||
1232 | static inline void drbg_copy_drbg(struct drbg_state *src, | ||
1233 | struct drbg_state *dst) | ||
1234 | { | ||
1235 | if (!src || !dst) | ||
1236 | return; | ||
1237 | memcpy(dst->V, src->V, drbg_statelen(src)); | ||
1238 | memcpy(dst->C, src->C, drbg_statelen(src)); | ||
1239 | dst->reseed_ctr = src->reseed_ctr; | ||
1240 | dst->seeded = src->seeded; | ||
1241 | dst->pr = src->pr; | ||
1242 | #ifdef CONFIG_CRYPTO_FIPS | ||
1243 | dst->fips_primed = src->fips_primed; | ||
1244 | memcpy(dst->prev, src->prev, drbg_blocklen(src)); | ||
1245 | #endif | ||
1246 | /* | ||
1247 | * Not copied: | ||
1248 | * scratchpad is initialized drbg_alloc_state; | ||
1249 | * priv_data is initialized with call to crypto_init; | ||
1250 | * d_ops and core are set outside, as these parameters are const; | ||
1251 | * test_data is set outside to prevent it being copied back. | ||
1252 | */ | ||
1253 | } | ||
1254 | |||
1255 | static int drbg_make_shadow(struct drbg_state *drbg, struct drbg_state **shadow) | ||
1256 | { | ||
1257 | int ret = -ENOMEM; | ||
1258 | struct drbg_state *tmp = NULL; | ||
1259 | |||
1260 | if (!drbg || !drbg->core || !drbg->V || !drbg->C) { | ||
1261 | pr_devel("DRBG: attempt to generate shadow copy for " | ||
1262 | "uninitialized DRBG state rejected\n"); | ||
1263 | return -EINVAL; | ||
1264 | } | ||
1265 | /* HMAC does not have a scratchpad */ | ||
1266 | if (!(drbg->core->flags & DRBG_HMAC) && NULL == drbg->scratchpad) | ||
1267 | return -EINVAL; | ||
1268 | |||
1269 | tmp = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); | ||
1270 | if (!tmp) | ||
1271 | return -ENOMEM; | ||
1272 | |||
1273 | /* read-only data as they are defined as const, no lock needed */ | ||
1274 | tmp->core = drbg->core; | ||
1275 | tmp->d_ops = drbg->d_ops; | ||
1276 | |||
1277 | ret = drbg_alloc_state(tmp); | ||
1278 | if (ret) | ||
1279 | goto err; | ||
1280 | |||
1281 | spin_lock_bh(&drbg->drbg_lock); | ||
1282 | drbg_copy_drbg(drbg, tmp); | ||
1283 | /* only make a link to the test buffer, as we only read that data */ | ||
1284 | tmp->test_data = drbg->test_data; | ||
1285 | spin_unlock_bh(&drbg->drbg_lock); | ||
1286 | *shadow = tmp; | ||
1287 | return 0; | ||
1288 | |||
1289 | err: | ||
1290 | if (tmp) | ||
1291 | kzfree(tmp); | ||
1292 | return ret; | ||
1293 | } | ||
1294 | |||
1295 | static void drbg_restore_shadow(struct drbg_state *drbg, | ||
1296 | struct drbg_state **shadow) | ||
1297 | { | ||
1298 | struct drbg_state *tmp = *shadow; | ||
1299 | |||
1300 | spin_lock_bh(&drbg->drbg_lock); | ||
1301 | drbg_copy_drbg(tmp, drbg); | ||
1302 | spin_unlock_bh(&drbg->drbg_lock); | ||
1303 | drbg_dealloc_state(tmp); | ||
1304 | kzfree(tmp); | ||
1305 | *shadow = NULL; | ||
1306 | } | ||
1307 | |||
1308 | /************************************************************************* | ||
1309 | * DRBG interface functions | ||
1310 | *************************************************************************/ | ||
1311 | |||
1312 | /* | ||
1313 | * DRBG generate function as required by SP800-90A - this function | ||
1314 | * generates random numbers | ||
1315 | * | ||
1316 | * @drbg DRBG state handle | ||
1317 | * @buf Buffer where to store the random numbers -- the buffer must already | ||
1318 | * be pre-allocated by caller | ||
1319 | * @buflen Length of output buffer - this value defines the number of random | ||
1320 | * bytes pulled from DRBG | ||
1321 | * @addtl Additional input that is mixed into state, may be NULL -- note | ||
1322 | * the entropy is pulled by the DRBG internally unconditionally | ||
1323 | * as defined in SP800-90A. The additional input is mixed into | ||
1324 | * the state in addition to the pulled entropy. | ||
1325 | * | ||
1326 | * return: generated number of bytes | ||
1327 | */ | ||
1328 | static int drbg_generate(struct drbg_state *drbg, | ||
1329 | unsigned char *buf, unsigned int buflen, | ||
1330 | struct drbg_string *addtl) | ||
1331 | { | ||
1332 | int len = 0; | ||
1333 | struct drbg_state *shadow = NULL; | ||
1334 | |||
1335 | if (0 == buflen || !buf) { | ||
1336 | pr_devel("DRBG: no output buffer provided\n"); | ||
1337 | return -EINVAL; | ||
1338 | } | ||
1339 | if (addtl && NULL == addtl->buf && 0 < addtl->len) { | ||
1340 | pr_devel("DRBG: wrong format of additional information\n"); | ||
1341 | return -EINVAL; | ||
1342 | } | ||
1343 | |||
1344 | len = drbg_make_shadow(drbg, &shadow); | ||
1345 | if (len) { | ||
1346 | pr_devel("DRBG: shadow copy cannot be generated\n"); | ||
1347 | return len; | ||
1348 | } | ||
1349 | |||
1350 | /* 9.3.1 step 2 */ | ||
1351 | len = -EINVAL; | ||
1352 | if (buflen > (drbg_max_request_bytes(shadow))) { | ||
1353 | pr_devel("DRBG: requested random numbers too large %u\n", | ||
1354 | buflen); | ||
1355 | goto err; | ||
1356 | } | ||
1357 | |||
1358 | /* 9.3.1 step 3 is implicit with the chosen DRBG */ | ||
1359 | |||
1360 | /* 9.3.1 step 4 */ | ||
1361 | if (addtl && addtl->len > (drbg_max_addtl(shadow))) { | ||
1362 | pr_devel("DRBG: additional information string too long %zu\n", | ||
1363 | addtl->len); | ||
1364 | goto err; | ||
1365 | } | ||
1366 | /* 9.3.1 step 5 is implicit with the chosen DRBG */ | ||
1367 | |||
1368 | /* | ||
1369 | * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented | ||
1370 | * here. The spec is a bit convoluted here, we make it simpler. | ||
1371 | */ | ||
1372 | if ((drbg_max_requests(shadow)) < shadow->reseed_ctr) | ||
1373 | shadow->seeded = false; | ||
1374 | |||
1375 | /* allocate cipher handle */ | ||
1376 | if (shadow->d_ops->crypto_init) { | ||
1377 | len = shadow->d_ops->crypto_init(shadow); | ||
1378 | if (len) | ||
1379 | goto err; | ||
1380 | } | ||
1381 | |||
1382 | if (shadow->pr || !shadow->seeded) { | ||
1383 | pr_devel("DRBG: reseeding before generation (prediction " | ||
1384 | "resistance: %s, state %s)\n", | ||
1385 | drbg->pr ? "true" : "false", | ||
1386 | drbg->seeded ? "seeded" : "unseeded"); | ||
1387 | /* 9.3.1 steps 7.1 through 7.3 */ | ||
1388 | len = drbg_seed(shadow, addtl, true); | ||
1389 | if (len) | ||
1390 | goto err; | ||
1391 | /* 9.3.1 step 7.4 */ | ||
1392 | addtl = NULL; | ||
1393 | } | ||
1394 | /* 9.3.1 step 8 and 10 */ | ||
1395 | len = shadow->d_ops->generate(shadow, buf, buflen, addtl); | ||
1396 | |||
1397 | /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ | ||
1398 | shadow->reseed_ctr++; | ||
1399 | if (0 >= len) | ||
1400 | goto err; | ||
1401 | |||
1402 | /* | ||
1403 | * Section 11.3.3 requires to re-perform self tests after some | ||
1404 | * generated random numbers. The chosen value after which self | ||
1405 | * test is performed is arbitrary, but it should be reasonable. | ||
1406 | * However, we do not perform the self tests because of the following | ||
1407 | * reasons: it is mathematically impossible that the initial self tests | ||
1408 | * were successfully and the following are not. If the initial would | ||
1409 | * pass and the following would not, the kernel integrity is violated. | ||
1410 | * In this case, the entire kernel operation is questionable and it | ||
1411 | * is unlikely that the integrity violation only affects the | ||
1412 | * correct operation of the DRBG. | ||
1413 | * | ||
1414 | * Albeit the following code is commented out, it is provided in | ||
1415 | * case somebody has a need to implement the test of 11.3.3. | ||
1416 | */ | ||
1417 | #if 0 | ||
1418 | if (shadow->reseed_ctr && !(shadow->reseed_ctr % 4096)) { | ||
1419 | int err = 0; | ||
1420 | pr_devel("DRBG: start to perform self test\n"); | ||
1421 | if (drbg->core->flags & DRBG_HMAC) | ||
1422 | err = alg_test("drbg_pr_hmac_sha256", | ||
1423 | "drbg_pr_hmac_sha256", 0, 0); | ||
1424 | else if (drbg->core->flags & DRBG_CTR) | ||
1425 | err = alg_test("drbg_pr_ctr_aes128", | ||
1426 | "drbg_pr_ctr_aes128", 0, 0); | ||
1427 | else | ||
1428 | err = alg_test("drbg_pr_sha256", | ||
1429 | "drbg_pr_sha256", 0, 0); | ||
1430 | if (err) { | ||
1431 | pr_err("DRBG: periodical self test failed\n"); | ||
1432 | /* | ||
1433 | * uninstantiate implies that from now on, only errors | ||
1434 | * are returned when reusing this DRBG cipher handle | ||
1435 | */ | ||
1436 | drbg_uninstantiate(drbg); | ||
1437 | drbg_dealloc_state(shadow); | ||
1438 | kzfree(shadow); | ||
1439 | return 0; | ||
1440 | } else { | ||
1441 | pr_devel("DRBG: self test successful\n"); | ||
1442 | } | ||
1443 | } | ||
1444 | #endif | ||
1445 | |||
1446 | err: | ||
1447 | if (shadow->d_ops->crypto_fini) | ||
1448 | shadow->d_ops->crypto_fini(shadow); | ||
1449 | drbg_restore_shadow(drbg, &shadow); | ||
1450 | return len; | ||
1451 | } | ||
1452 | |||
1453 | /* | ||
1454 | * Wrapper around drbg_generate which can pull arbitrary long strings | ||
1455 | * from the DRBG without hitting the maximum request limitation. | ||
1456 | * | ||
1457 | * Parameters: see drbg_generate | ||
1458 | * Return codes: see drbg_generate -- if one drbg_generate request fails, | ||
1459 | * the entire drbg_generate_long request fails | ||
1460 | */ | ||
1461 | static int drbg_generate_long(struct drbg_state *drbg, | ||
1462 | unsigned char *buf, unsigned int buflen, | ||
1463 | struct drbg_string *addtl) | ||
1464 | { | ||
1465 | int len = 0; | ||
1466 | unsigned int slice = 0; | ||
1467 | do { | ||
1468 | int tmplen = 0; | ||
1469 | unsigned int chunk = 0; | ||
1470 | slice = ((buflen - len) / drbg_max_request_bytes(drbg)); | ||
1471 | chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); | ||
1472 | tmplen = drbg_generate(drbg, buf + len, chunk, addtl); | ||
1473 | if (0 >= tmplen) | ||
1474 | return tmplen; | ||
1475 | len += tmplen; | ||
1476 | } while (slice > 0); | ||
1477 | return len; | ||
1478 | } | ||
1479 | |||
1480 | /* | ||
1481 | * DRBG instantiation function as required by SP800-90A - this function | ||
1482 | * sets up the DRBG handle, performs the initial seeding and all sanity | ||
1483 | * checks required by SP800-90A | ||
1484 | * | ||
1485 | * @drbg memory of state -- if NULL, new memory is allocated | ||
1486 | * @pers Personalization string that is mixed into state, may be NULL -- note | ||
1487 | * the entropy is pulled by the DRBG internally unconditionally | ||
1488 | * as defined in SP800-90A. The additional input is mixed into | ||
1489 | * the state in addition to the pulled entropy. | ||
1490 | * @coreref reference to core | ||
1491 | * @pr prediction resistance enabled | ||
1492 | * | ||
1493 | * return | ||
1494 | * 0 on success | ||
1495 | * error value otherwise | ||
1496 | */ | ||
1497 | static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, | ||
1498 | int coreref, bool pr) | ||
1499 | { | ||
1500 | int ret = -ENOMEM; | ||
1501 | |||
1502 | pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " | ||
1503 | "%s\n", coreref, pr ? "enabled" : "disabled"); | ||
1504 | drbg->core = &drbg_cores[coreref]; | ||
1505 | drbg->pr = pr; | ||
1506 | drbg->seeded = false; | ||
1507 | switch (drbg->core->flags & DRBG_TYPE_MASK) { | ||
1508 | #ifdef CONFIG_CRYPTO_DRBG_HMAC | ||
1509 | case DRBG_HMAC: | ||
1510 | drbg->d_ops = &drbg_hmac_ops; | ||
1511 | break; | ||
1512 | #endif /* CONFIG_CRYPTO_DRBG_HMAC */ | ||
1513 | #ifdef CONFIG_CRYPTO_DRBG_HASH | ||
1514 | case DRBG_HASH: | ||
1515 | drbg->d_ops = &drbg_hash_ops; | ||
1516 | break; | ||
1517 | #endif /* CONFIG_CRYPTO_DRBG_HASH */ | ||
1518 | #ifdef CONFIG_CRYPTO_DRBG_CTR | ||
1519 | case DRBG_CTR: | ||
1520 | drbg->d_ops = &drbg_ctr_ops; | ||
1521 | break; | ||
1522 | #endif /* CONFIG_CRYPTO_DRBG_CTR */ | ||
1523 | default: | ||
1524 | return -EOPNOTSUPP; | ||
1525 | } | ||
1526 | |||
1527 | /* 9.1 step 1 is implicit with the selected DRBG type */ | ||
1528 | |||
1529 | /* | ||
1530 | * 9.1 step 2 is implicit as caller can select prediction resistance | ||
1531 | * and the flag is copied into drbg->flags -- | ||
1532 | * all DRBG types support prediction resistance | ||
1533 | */ | ||
1534 | |||
1535 | /* 9.1 step 4 is implicit in drbg_sec_strength */ | ||
1536 | |||
1537 | ret = drbg_alloc_state(drbg); | ||
1538 | if (ret) | ||
1539 | return ret; | ||
1540 | |||
1541 | ret = -EFAULT; | ||
1542 | if (drbg->d_ops->crypto_init && drbg->d_ops->crypto_init(drbg)) | ||
1543 | goto err; | ||
1544 | ret = drbg_seed(drbg, pers, false); | ||
1545 | if (drbg->d_ops->crypto_fini) | ||
1546 | drbg->d_ops->crypto_fini(drbg); | ||
1547 | if (ret) | ||
1548 | goto err; | ||
1549 | |||
1550 | return 0; | ||
1551 | |||
1552 | err: | ||
1553 | drbg_dealloc_state(drbg); | ||
1554 | return ret; | ||
1555 | } | ||
1556 | |||
1557 | /* | ||
1558 | * DRBG uninstantiate function as required by SP800-90A - this function | ||
1559 | * frees all buffers and the DRBG handle | ||
1560 | * | ||
1561 | * @drbg DRBG state handle | ||
1562 | * | ||
1563 | * return | ||
1564 | * 0 on success | ||
1565 | */ | ||
1566 | static int drbg_uninstantiate(struct drbg_state *drbg) | ||
1567 | { | ||
1568 | spin_lock_bh(&drbg->drbg_lock); | ||
1569 | drbg_dealloc_state(drbg); | ||
1570 | /* no scrubbing of test_data -- this shall survive an uninstantiate */ | ||
1571 | spin_unlock_bh(&drbg->drbg_lock); | ||
1572 | return 0; | ||
1573 | } | ||
1574 | |||
1575 | /* | ||
1576 | * Helper function for setting the test data in the DRBG | ||
1577 | * | ||
1578 | * @drbg DRBG state handle | ||
1579 | * @test_data test data to sets | ||
1580 | */ | ||
1581 | static inline void drbg_set_testdata(struct drbg_state *drbg, | ||
1582 | struct drbg_test_data *test_data) | ||
1583 | { | ||
1584 | if (!test_data || !test_data->testentropy) | ||
1585 | return; | ||
1586 | spin_lock_bh(&drbg->drbg_lock); | ||
1587 | drbg->test_data = test_data; | ||
1588 | spin_unlock_bh(&drbg->drbg_lock); | ||
1589 | } | ||
1590 | |||
1591 | /*************************************************************** | ||
1592 | * Kernel crypto API cipher invocations requested by DRBG | ||
1593 | ***************************************************************/ | ||
1594 | |||
1595 | #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) | ||
1596 | struct sdesc { | ||
1597 | struct shash_desc shash; | ||
1598 | char ctx[]; | ||
1599 | }; | ||
1600 | |||
1601 | static int drbg_init_hash_kernel(struct drbg_state *drbg) | ||
1602 | { | ||
1603 | struct sdesc *sdesc; | ||
1604 | struct crypto_shash *tfm; | ||
1605 | |||
1606 | tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); | ||
1607 | if (IS_ERR(tfm)) { | ||
1608 | pr_info("DRBG: could not allocate digest TFM handle\n"); | ||
1609 | return PTR_ERR(tfm); | ||
1610 | } | ||
1611 | BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); | ||
1612 | sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), | ||
1613 | GFP_KERNEL); | ||
1614 | if (!sdesc) { | ||
1615 | crypto_free_shash(tfm); | ||
1616 | return -ENOMEM; | ||
1617 | } | ||
1618 | |||
1619 | sdesc->shash.tfm = tfm; | ||
1620 | sdesc->shash.flags = 0; | ||
1621 | drbg->priv_data = sdesc; | ||
1622 | return 0; | ||
1623 | } | ||
1624 | |||
1625 | static int drbg_fini_hash_kernel(struct drbg_state *drbg) | ||
1626 | { | ||
1627 | struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; | ||
1628 | if (sdesc) { | ||
1629 | crypto_free_shash(sdesc->shash.tfm); | ||
1630 | kzfree(sdesc); | ||
1631 | } | ||
1632 | drbg->priv_data = NULL; | ||
1633 | return 0; | ||
1634 | } | ||
1635 | |||
1636 | static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, | ||
1637 | unsigned char *outval, const struct drbg_string *in) | ||
1638 | { | ||
1639 | struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; | ||
1640 | |||
1641 | if (key) | ||
1642 | crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); | ||
1643 | crypto_shash_init(&sdesc->shash); | ||
1644 | for (; NULL != in; in = in->next) | ||
1645 | crypto_shash_update(&sdesc->shash, in->buf, in->len); | ||
1646 | return crypto_shash_final(&sdesc->shash, outval); | ||
1647 | } | ||
1648 | #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ | ||
1649 | |||
1650 | #ifdef CONFIG_CRYPTO_DRBG_CTR | ||
1651 | static int drbg_init_sym_kernel(struct drbg_state *drbg) | ||
1652 | { | ||
1653 | int ret = 0; | ||
1654 | struct crypto_blkcipher *tfm; | ||
1655 | |||
1656 | tfm = crypto_alloc_blkcipher(drbg->core->backend_cra_name, 0, 0); | ||
1657 | if (IS_ERR(tfm)) { | ||
1658 | pr_info("DRBG: could not allocate cipher TFM handle\n"); | ||
1659 | return PTR_ERR(tfm); | ||
1660 | } | ||
1661 | BUG_ON(drbg_blocklen(drbg) != crypto_blkcipher_blocksize(tfm)); | ||
1662 | drbg->priv_data = tfm; | ||
1663 | return ret; | ||
1664 | } | ||
1665 | |||
1666 | static int drbg_fini_sym_kernel(struct drbg_state *drbg) | ||
1667 | { | ||
1668 | struct crypto_blkcipher *tfm = | ||
1669 | (struct crypto_blkcipher *)drbg->priv_data; | ||
1670 | if (tfm) | ||
1671 | crypto_free_blkcipher(tfm); | ||
1672 | drbg->priv_data = NULL; | ||
1673 | return 0; | ||
1674 | } | ||
1675 | |||
1676 | static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, | ||
1677 | unsigned char *outval, const struct drbg_string *in) | ||
1678 | { | ||
1679 | int ret = 0; | ||
1680 | struct scatterlist sg_in, sg_out; | ||
1681 | struct blkcipher_desc desc; | ||
1682 | struct crypto_blkcipher *tfm = | ||
1683 | (struct crypto_blkcipher *)drbg->priv_data; | ||
1684 | |||
1685 | desc.tfm = tfm; | ||
1686 | desc.flags = 0; | ||
1687 | crypto_blkcipher_setkey(tfm, key, (drbg_keylen(drbg))); | ||
1688 | /* there is only component in *in */ | ||
1689 | sg_init_one(&sg_in, in->buf, in->len); | ||
1690 | sg_init_one(&sg_out, outval, drbg_blocklen(drbg)); | ||
1691 | ret = crypto_blkcipher_encrypt(&desc, &sg_out, &sg_in, in->len); | ||
1692 | |||
1693 | return ret; | ||
1694 | } | ||
1695 | #endif /* CONFIG_CRYPTO_DRBG_CTR */ | ||
1696 | |||
1697 | /*************************************************************** | ||
1698 | * Kernel crypto API interface to register DRBG | ||
1699 | ***************************************************************/ | ||
1700 | |||
1701 | /* | ||
1702 | * Look up the DRBG flags by given kernel crypto API cra_name | ||
1703 | * The code uses the drbg_cores definition to do this | ||
1704 | * | ||
1705 | * @cra_name kernel crypto API cra_name | ||
1706 | * @coreref reference to integer which is filled with the pointer to | ||
1707 | * the applicable core | ||
1708 | * @pr reference for setting prediction resistance | ||
1709 | * | ||
1710 | * return: flags | ||
1711 | */ | ||
1712 | static inline void drbg_convert_tfm_core(const char *cra_driver_name, | ||
1713 | int *coreref, bool *pr) | ||
1714 | { | ||
1715 | int i = 0; | ||
1716 | size_t start = 0; | ||
1717 | int len = 0; | ||
1718 | |||
1719 | *pr = true; | ||
1720 | /* disassemble the names */ | ||
1721 | if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { | ||
1722 | start = 10; | ||
1723 | *pr = false; | ||
1724 | } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { | ||
1725 | start = 8; | ||
1726 | } else { | ||
1727 | return; | ||
1728 | } | ||
1729 | |||
1730 | /* remove the first part */ | ||
1731 | len = strlen(cra_driver_name) - start; | ||
1732 | for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { | ||
1733 | if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, | ||
1734 | len)) { | ||
1735 | *coreref = i; | ||
1736 | return; | ||
1737 | } | ||
1738 | } | ||
1739 | } | ||
1740 | |||
1741 | static int drbg_kcapi_init(struct crypto_tfm *tfm) | ||
1742 | { | ||
1743 | struct drbg_state *drbg = crypto_tfm_ctx(tfm); | ||
1744 | bool pr = false; | ||
1745 | int coreref = 0; | ||
1746 | |||
1747 | drbg_convert_tfm_core(crypto_tfm_alg_name(tfm), &coreref, &pr); | ||
1748 | /* | ||
1749 | * when personalization string is needed, the caller must call reset | ||
1750 | * and provide the personalization string as seed information | ||
1751 | */ | ||
1752 | return drbg_instantiate(drbg, NULL, coreref, pr); | ||
1753 | } | ||
1754 | |||
1755 | static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) | ||
1756 | { | ||
1757 | drbg_uninstantiate(crypto_tfm_ctx(tfm)); | ||
1758 | } | ||
1759 | |||
1760 | /* | ||
1761 | * Generate random numbers invoked by the kernel crypto API: | ||
1762 | * The API of the kernel crypto API is extended as follows: | ||
1763 | * | ||
1764 | * If dlen is larger than zero, rdata is interpreted as the output buffer | ||
1765 | * where random data is to be stored. | ||
1766 | * | ||
1767 | * If dlen is zero, rdata is interpreted as a pointer to a struct drbg_gen | ||
1768 | * which holds the additional information string that is used for the | ||
1769 | * DRBG generation process. The output buffer that is to be used to store | ||
1770 | * data is also pointed to by struct drbg_gen. | ||
1771 | */ | ||
1772 | static int drbg_kcapi_random(struct crypto_rng *tfm, u8 *rdata, | ||
1773 | unsigned int dlen) | ||
1774 | { | ||
1775 | struct drbg_state *drbg = crypto_rng_ctx(tfm); | ||
1776 | if (0 < dlen) { | ||
1777 | return drbg_generate_long(drbg, rdata, dlen, NULL); | ||
1778 | } else { | ||
1779 | struct drbg_gen *data = (struct drbg_gen *)rdata; | ||
1780 | /* catch NULL pointer */ | ||
1781 | if (!data) | ||
1782 | return 0; | ||
1783 | drbg_set_testdata(drbg, data->test_data); | ||
1784 | return drbg_generate_long(drbg, data->outbuf, data->outlen, | ||
1785 | data->addtl); | ||
1786 | } | ||
1787 | } | ||
1788 | |||
1789 | /* | ||
1790 | * Reset the DRBG invoked by the kernel crypto API | ||
1791 | * The reset implies a full re-initialization of the DRBG. Similar to the | ||
1792 | * generate function of drbg_kcapi_random, this function extends the | ||
1793 | * kernel crypto API interface with struct drbg_gen | ||
1794 | */ | ||
1795 | static int drbg_kcapi_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen) | ||
1796 | { | ||
1797 | struct drbg_state *drbg = crypto_rng_ctx(tfm); | ||
1798 | struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); | ||
1799 | bool pr = false; | ||
1800 | struct drbg_string seed_string; | ||
1801 | int coreref = 0; | ||
1802 | |||
1803 | drbg_uninstantiate(drbg); | ||
1804 | drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, | ||
1805 | &pr); | ||
1806 | if (0 < slen) { | ||
1807 | drbg_string_fill(&seed_string, seed, slen); | ||
1808 | return drbg_instantiate(drbg, &seed_string, coreref, pr); | ||
1809 | } else { | ||
1810 | struct drbg_gen *data = (struct drbg_gen *)seed; | ||
1811 | /* allow invocation of API call with NULL, 0 */ | ||
1812 | if (!data) | ||
1813 | return drbg_instantiate(drbg, NULL, coreref, pr); | ||
1814 | drbg_set_testdata(drbg, data->test_data); | ||
1815 | return drbg_instantiate(drbg, data->addtl, coreref, pr); | ||
1816 | } | ||
1817 | } | ||
1818 | |||
1819 | /*************************************************************** | ||
1820 | * Kernel module: code to load the module | ||
1821 | ***************************************************************/ | ||
1822 | |||
1823 | /* | ||
1824 | * Tests as defined in 11.3.2 in addition to the cipher tests: testing | ||
1825 | * of the error handling. | ||
1826 | * | ||
1827 | * Note: testing of failing seed source as defined in 11.3.2 is not applicable | ||
1828 | * as seed source of get_random_bytes does not fail. | ||
1829 | * | ||
1830 | * Note 2: There is no sensible way of testing the reseed counter | ||
1831 | * enforcement, so skip it. | ||
1832 | */ | ||
1833 | static inline int __init drbg_healthcheck_sanity(void) | ||
1834 | { | ||
1835 | #ifdef CONFIG_CRYPTO_FIPS | ||
1836 | int len = 0; | ||
1837 | #define OUTBUFLEN 16 | ||
1838 | unsigned char buf[OUTBUFLEN]; | ||
1839 | struct drbg_state *drbg = NULL; | ||
1840 | int ret = -EFAULT; | ||
1841 | int rc = -EFAULT; | ||
1842 | bool pr = false; | ||
1843 | int coreref = 0; | ||
1844 | struct drbg_string addtl; | ||
1845 | size_t max_addtllen, max_request_bytes; | ||
1846 | |||
1847 | /* only perform test in FIPS mode */ | ||
1848 | if (!fips_enabled) | ||
1849 | return 0; | ||
1850 | |||
1851 | #ifdef CONFIG_CRYPTO_DRBG_CTR | ||
1852 | drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); | ||
1853 | #elif CONFIG_CRYPTO_DRBG_HASH | ||
1854 | drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); | ||
1855 | #else | ||
1856 | drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); | ||
1857 | #endif | ||
1858 | |||
1859 | drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); | ||
1860 | if (!drbg) | ||
1861 | return -ENOMEM; | ||
1862 | |||
1863 | /* | ||
1864 | * if the following tests fail, it is likely that there is a buffer | ||
1865 | * overflow as buf is much smaller than the requested or provided | ||
1866 | * string lengths -- in case the error handling does not succeed | ||
1867 | * we may get an OOPS. And we want to get an OOPS as this is a | ||
1868 | * grave bug. | ||
1869 | */ | ||
1870 | |||
1871 | /* get a valid instance of DRBG for following tests */ | ||
1872 | ret = drbg_instantiate(drbg, NULL, coreref, pr); | ||
1873 | if (ret) { | ||
1874 | rc = ret; | ||
1875 | goto outbuf; | ||
1876 | } | ||
1877 | max_addtllen = drbg_max_addtl(drbg); | ||
1878 | max_request_bytes = drbg_max_request_bytes(drbg); | ||
1879 | drbg_string_fill(&addtl, buf, max_addtllen + 1); | ||
1880 | /* overflow addtllen with additonal info string */ | ||
1881 | len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); | ||
1882 | BUG_ON(0 < len); | ||
1883 | /* overflow max_bits */ | ||
1884 | len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); | ||
1885 | BUG_ON(0 < len); | ||
1886 | drbg_uninstantiate(drbg); | ||
1887 | |||
1888 | /* overflow max addtllen with personalization string */ | ||
1889 | ret = drbg_instantiate(drbg, &addtl, coreref, pr); | ||
1890 | BUG_ON(0 == ret); | ||
1891 | /* test uninstantated DRBG */ | ||
1892 | len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); | ||
1893 | BUG_ON(0 < len); | ||
1894 | /* all tests passed */ | ||
1895 | rc = 0; | ||
1896 | |||
1897 | pr_devel("DRBG: Sanity tests for failure code paths successfully " | ||
1898 | "completed\n"); | ||
1899 | |||
1900 | drbg_uninstantiate(drbg); | ||
1901 | outbuf: | ||
1902 | kzfree(drbg); | ||
1903 | return rc; | ||
1904 | #else /* CONFIG_CRYPTO_FIPS */ | ||
1905 | return 0; | ||
1906 | #endif /* CONFIG_CRYPTO_FIPS */ | ||
1907 | } | ||
1908 | |||
1909 | static struct crypto_alg drbg_algs[22]; | ||
1910 | |||
1911 | /* | ||
1912 | * Fill the array drbg_algs used to register the different DRBGs | ||
1913 | * with the kernel crypto API. To fill the array, the information | ||
1914 | * from drbg_cores[] is used. | ||
1915 | */ | ||
1916 | static inline void __init drbg_fill_array(struct crypto_alg *alg, | ||
1917 | const struct drbg_core *core, int pr) | ||
1918 | { | ||
1919 | int pos = 0; | ||
1920 | static int priority = 100; | ||
1921 | |||
1922 | memset(alg, 0, sizeof(struct crypto_alg)); | ||
1923 | memcpy(alg->cra_name, "stdrng", 6); | ||
1924 | if (pr) { | ||
1925 | memcpy(alg->cra_driver_name, "drbg_pr_", 8); | ||
1926 | pos = 8; | ||
1927 | } else { | ||
1928 | memcpy(alg->cra_driver_name, "drbg_nopr_", 10); | ||
1929 | pos = 10; | ||
1930 | } | ||
1931 | memcpy(alg->cra_driver_name + pos, core->cra_name, | ||
1932 | strlen(core->cra_name)); | ||
1933 | |||
1934 | alg->cra_priority = priority; | ||
1935 | priority++; | ||
1936 | /* | ||
1937 | * If FIPS mode enabled, the selected DRBG shall have the | ||
1938 | * highest cra_priority over other stdrng instances to ensure | ||
1939 | * it is selected. | ||
1940 | */ | ||
1941 | if (fips_enabled) | ||
1942 | alg->cra_priority += 200; | ||
1943 | |||
1944 | alg->cra_flags = CRYPTO_ALG_TYPE_RNG; | ||
1945 | alg->cra_ctxsize = sizeof(struct drbg_state); | ||
1946 | alg->cra_type = &crypto_rng_type; | ||
1947 | alg->cra_module = THIS_MODULE; | ||
1948 | alg->cra_init = drbg_kcapi_init; | ||
1949 | alg->cra_exit = drbg_kcapi_cleanup; | ||
1950 | alg->cra_u.rng.rng_make_random = drbg_kcapi_random; | ||
1951 | alg->cra_u.rng.rng_reset = drbg_kcapi_reset; | ||
1952 | alg->cra_u.rng.seedsize = 0; | ||
1953 | } | ||
1954 | |||
1955 | static int __init drbg_init(void) | ||
1956 | { | ||
1957 | unsigned int i = 0; /* pointer to drbg_algs */ | ||
1958 | unsigned int j = 0; /* pointer to drbg_cores */ | ||
1959 | int ret = -EFAULT; | ||
1960 | |||
1961 | ret = drbg_healthcheck_sanity(); | ||
1962 | if (ret) | ||
1963 | return ret; | ||
1964 | |||
1965 | if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { | ||
1966 | pr_info("DRBG: Cannot register all DRBG types" | ||
1967 | "(slots needed: %lu, slots available: %lu)\n", | ||
1968 | ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); | ||
1969 | return ret; | ||
1970 | } | ||
1971 | |||
1972 | /* | ||
1973 | * each DRBG definition can be used with PR and without PR, thus | ||
1974 | * we instantiate each DRBG in drbg_cores[] twice. | ||
1975 | * | ||
1976 | * As the order of placing them into the drbg_algs array matters | ||
1977 | * (the later DRBGs receive a higher cra_priority) we register the | ||
1978 | * prediction resistance DRBGs first as the should not be too | ||
1979 | * interesting. | ||
1980 | */ | ||
1981 | for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) | ||
1982 | drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); | ||
1983 | for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) | ||
1984 | drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); | ||
1985 | return crypto_register_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); | ||
1986 | } | ||
1987 | |||
1988 | void __exit drbg_exit(void) | ||
1989 | { | ||
1990 | crypto_unregister_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); | ||
1991 | } | ||
1992 | |||
1993 | module_init(drbg_init); | ||
1994 | module_exit(drbg_exit); | ||
1995 | MODULE_LICENSE("GPL"); | ||
1996 | MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); | ||
1997 | MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) using following cores:" | ||
1998 | #ifdef CONFIG_CRYPTO_DRBG_HMAC | ||
1999 | "HMAC " | ||
2000 | #endif | ||
2001 | #ifdef CONFIG_CRYPTO_DRBG_HASH | ||
2002 | "Hash " | ||
2003 | #endif | ||
2004 | #ifdef CONFIG_CRYPTO_DRBG_CTR | ||
2005 | "CTR" | ||
2006 | #endif | ||
2007 | ); | ||