^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) * DRBG: Deterministic Random Bits Generator
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * Based on NIST Recommended DRBG from NIST SP800-90A with the following
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) * properties:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) * * with and without prediction resistance
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) * Copyright Stephan Mueller <smueller@chronox.de>, 2014
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) * Redistribution and use in source and binary forms, with or without
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) * modification, are permitted provided that the following conditions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) * are met:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) * 1. Redistributions of source code must retain the above copyright
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) * notice, and the entire permission notice in its entirety,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) * including the disclaimer of warranties.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) * 2. Redistributions in binary form must reproduce the above copyright
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) * notice, this list of conditions and the following disclaimer in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) * documentation and/or other materials provided with the distribution.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) * 3. The name of the author may not be used to endorse or promote
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) * products derived from this software without specific prior
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) * written permission.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) * ALTERNATIVELY, this product may be distributed under the terms of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) * the GNU General Public License, in which case the provisions of the GPL are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) * required INSTEAD OF the above restrictions. (This clause is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) * necessary due to a potential bad interaction between the GPL and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) * the restrictions contained in a BSD-style copyright.)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) * DAMAGE.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) * DRBG Usage
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) * ==========
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) * The SP 800-90A DRBG allows the user to specify a personalization string
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) * for initialization as well as an additional information string for each
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) * random number request. The following code fragments show how a caller
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) * uses the kernel crypto API to use the full functionality of the DRBG.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) * Usage without any additional data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) * ---------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) * struct crypto_rng *drng;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) * int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) * char data[DATALEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) * drng = crypto_alloc_rng(drng_name, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) * err = crypto_rng_get_bytes(drng, &data, DATALEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) * crypto_free_rng(drng);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) * Usage with personalization string during initialization
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) * -------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) * struct crypto_rng *drng;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) * int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) * char data[DATALEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) * struct drbg_string pers;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) * char personalization[11] = "some-string";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) * drbg_string_fill(&pers, personalization, strlen(personalization));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) * drng = crypto_alloc_rng(drng_name, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) * // The reset completely re-initializes the DRBG with the provided
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) * // personalization string
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) * err = crypto_rng_reset(drng, &personalization, strlen(personalization));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) * err = crypto_rng_get_bytes(drng, &data, DATALEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) * crypto_free_rng(drng);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) * Usage with additional information string during random number request
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) * ---------------------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) * struct crypto_rng *drng;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) * int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) * char data[DATALEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) * char addtl_string[11] = "some-string";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) * string drbg_string addtl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) * drng = crypto_alloc_rng(drng_name, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) * // The following call is a wrapper to crypto_rng_get_bytes() and returns
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) * // the same error codes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) * crypto_free_rng(drng);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) * Usage with personalization and additional information strings
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) * -------------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) * Just mix both scenarios above.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) #include <crypto/drbg.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) #include <crypto/internal/cipher.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) #include <linux/kernel.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) /***************************************************************
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) * Backend cipher definitions available to DRBG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) ***************************************************************/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) * The order of the DRBG definitions here matter: every DRBG is registered
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) * as stdrng. Each DRBG receives an increasing cra_priority values the later
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) * they are defined in this array (see drbg_fill_array).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) * the SHA256 / AES 256 over other ciphers. Thus, the favored
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) * DRBGs are the latest entries in this array.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) static const struct drbg_core drbg_cores[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) #ifdef CONFIG_CRYPTO_DRBG_CTR
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) .flags = DRBG_CTR | DRBG_STRENGTH128,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) .statelen = 32, /* 256 bits as defined in 10.2.1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) .blocklen_bytes = 16,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) .cra_name = "ctr_aes128",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) .backend_cra_name = "aes",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) }, {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) .flags = DRBG_CTR | DRBG_STRENGTH192,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) .statelen = 40, /* 320 bits as defined in 10.2.1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) .blocklen_bytes = 16,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) .cra_name = "ctr_aes192",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) .backend_cra_name = "aes",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) }, {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) .flags = DRBG_CTR | DRBG_STRENGTH256,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) .statelen = 48, /* 384 bits as defined in 10.2.1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) .blocklen_bytes = 16,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) .cra_name = "ctr_aes256",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) .backend_cra_name = "aes",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) #endif /* CONFIG_CRYPTO_DRBG_CTR */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) #ifdef CONFIG_CRYPTO_DRBG_HASH
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) .flags = DRBG_HASH | DRBG_STRENGTH128,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) .statelen = 55, /* 440 bits */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) .blocklen_bytes = 20,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) .cra_name = "sha1",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) .backend_cra_name = "sha1",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) }, {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) .flags = DRBG_HASH | DRBG_STRENGTH256,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) .statelen = 111, /* 888 bits */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) .blocklen_bytes = 48,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) .cra_name = "sha384",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) .backend_cra_name = "sha384",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) }, {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) .flags = DRBG_HASH | DRBG_STRENGTH256,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) .statelen = 111, /* 888 bits */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) .blocklen_bytes = 64,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) .cra_name = "sha512",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) .backend_cra_name = "sha512",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) }, {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) .flags = DRBG_HASH | DRBG_STRENGTH256,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) .statelen = 55, /* 440 bits */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) .blocklen_bytes = 32,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) .cra_name = "sha256",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) .backend_cra_name = "sha256",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) #endif /* CONFIG_CRYPTO_DRBG_HASH */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) #ifdef CONFIG_CRYPTO_DRBG_HMAC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) .flags = DRBG_HMAC | DRBG_STRENGTH128,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) .statelen = 20, /* block length of cipher */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) .blocklen_bytes = 20,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) .cra_name = "hmac_sha1",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) .backend_cra_name = "hmac(sha1)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) }, {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) .flags = DRBG_HMAC | DRBG_STRENGTH256,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) .statelen = 48, /* block length of cipher */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) .blocklen_bytes = 48,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) .cra_name = "hmac_sha384",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) .backend_cra_name = "hmac(sha384)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) }, {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) .flags = DRBG_HMAC | DRBG_STRENGTH256,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) .statelen = 64, /* block length of cipher */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) .blocklen_bytes = 64,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) .cra_name = "hmac_sha512",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) .backend_cra_name = "hmac(sha512)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) }, {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) .flags = DRBG_HMAC | DRBG_STRENGTH256,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) .statelen = 32, /* block length of cipher */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) .blocklen_bytes = 32,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) .cra_name = "hmac_sha256",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) .backend_cra_name = "hmac(sha256)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) #endif /* CONFIG_CRYPTO_DRBG_HMAC */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) static int drbg_uninstantiate(struct drbg_state *drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) /******************************************************************
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) * Generic helper functions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) ******************************************************************/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) * Return strength of DRBG according to SP800-90A section 8.4
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) * @flags DRBG flags reference
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) * Return: normalized strength in *bytes* value or 32 as default
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) * to counter programming errors
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) switch (flags & DRBG_STRENGTH_MASK) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) case DRBG_STRENGTH128:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) return 16;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) case DRBG_STRENGTH192:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) return 24;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) case DRBG_STRENGTH256:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) return 32;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) return 32;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) * FIPS 140-2 continuous self test for the noise source
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) * The test is performed on the noise source input data. Thus, the function
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) * implicitly knows the size of the buffer to be equal to the security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) * strength.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) * Note, this function disregards the nonce trailing the entropy data during
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) * initial seeding.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) * drbg->drbg_mutex must have been taken.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) * @drbg DRBG handle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) * @entropy buffer of seed data to be checked
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) * return:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) * 0 on success
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) * -EAGAIN on when the CTRNG is not yet primed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) * < 0 on error
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) static int drbg_fips_continuous_test(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) const unsigned char *entropy)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) if (!IS_ENABLED(CONFIG_CRYPTO_FIPS))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) /* skip test if we test the overall system */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) if (list_empty(&drbg->test_data.list))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) /* only perform test in FIPS mode */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) if (!fips_enabled)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) if (!drbg->fips_primed) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) /* Priming of FIPS test */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) memcpy(drbg->prev, entropy, entropylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) drbg->fips_primed = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) /* priming: another round is needed */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) return -EAGAIN;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) ret = memcmp(drbg->prev, entropy, entropylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) if (!ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) panic("DRBG continuous self test failed\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) memcpy(drbg->prev, entropy, entropylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) /* the test shall pass when the two values are not equal */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) * Convert an integer into a byte representation of this integer.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) * The byte representation is big-endian
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) * @val value to be converted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) * @buf buffer holding the converted integer -- caller must ensure that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) * buffer size is at least 32 bit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) struct s {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) __be32 conv;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) struct s *conversion = (struct s *) buf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) conversion->conv = cpu_to_be32(val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) /******************************************************************
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) * CTR DRBG callback functions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) ******************************************************************/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) #ifdef CONFIG_CRYPTO_DRBG_CTR
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) #define CRYPTO_DRBG_CTR_STRING "CTR "
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) const unsigned char *key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) const struct drbg_string *in);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) static int drbg_init_sym_kernel(struct drbg_state *drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) static int drbg_fini_sym_kernel(struct drbg_state *drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) u8 *inbuf, u32 inbuflen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) u8 *outbuf, u32 outlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) #define DRBG_OUTSCRATCHLEN 256
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) /* BCC function for CTR DRBG as defined in 10.4.3 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) static int drbg_ctr_bcc(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) unsigned char *out, const unsigned char *key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) struct list_head *in)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) struct drbg_string *curr = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) struct drbg_string data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) short cnt = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) drbg_string_fill(&data, out, drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) /* 10.4.3 step 2 / 4 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) drbg_kcapi_symsetkey(drbg, key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) list_for_each_entry(curr, in, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) const unsigned char *pos = curr->buf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) size_t len = curr->len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) /* 10.4.3 step 4.1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) while (len) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) /* 10.4.3 step 4.2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) if (drbg_blocklen(drbg) == cnt) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) cnt = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) ret = drbg_kcapi_sym(drbg, out, &data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) out[cnt] ^= *pos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) pos++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) cnt++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) len--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) /* 10.4.3 step 4.2 for last block */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) if (cnt)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) ret = drbg_kcapi_sym(drbg, out, &data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) * the scratchpad is used as follows:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) * drbg_ctr_update:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) * temp
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) * start: drbg->scratchpad
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) * length: drbg_statelen(drbg) + drbg_blocklen(drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) * note: the cipher writing into this variable works
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) * blocklen-wise. Now, when the statelen is not a multiple
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) * of blocklen, the generateion loop below "spills over"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) * by at most blocklen. Thus, we need to give sufficient
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) * memory.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) * df_data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) * start: drbg->scratchpad +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) * drbg_statelen(drbg) + drbg_blocklen(drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) * length: drbg_statelen(drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) * drbg_ctr_df:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) * pad
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) * start: df_data + drbg_statelen(drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) * length: drbg_blocklen(drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) * iv
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) * start: pad + drbg_blocklen(drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) * length: drbg_blocklen(drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) * temp
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) * start: iv + drbg_blocklen(drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) * length: drbg_satelen(drbg) + drbg_blocklen(drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) * note: temp is the buffer that the BCC function operates
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) * on. BCC operates blockwise. drbg_statelen(drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) * is sufficient when the DRBG state length is a multiple
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) * of the block size. For AES192 (and maybe other ciphers)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) * this is not correct and the length for temp is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) * insufficient (yes, that also means for such ciphers,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) * the final output of all BCC rounds are truncated).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) * Therefore, add drbg_blocklen(drbg) to cover all
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) * possibilities.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) /* Derivation Function for CTR DRBG as defined in 10.4.2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) static int drbg_ctr_df(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) unsigned char *df_data, size_t bytes_to_return,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) struct list_head *seedlist)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) int ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) unsigned char L_N[8];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) /* S3 is input */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) struct drbg_string S1, S2, S4, cipherin;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) LIST_HEAD(bcc_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) unsigned char *pad = df_data + drbg_statelen(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) unsigned char *iv = pad + drbg_blocklen(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) unsigned char *temp = iv + drbg_blocklen(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) size_t padlen = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) unsigned int templen = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) /* 10.4.2 step 7 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) unsigned int i = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) /* 10.4.2 step 8 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) const unsigned char *K = (unsigned char *)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) "\x00\x01\x02\x03\x04\x05\x06\x07"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) "\x10\x11\x12\x13\x14\x15\x16\x17"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) unsigned char *X;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) size_t generated_len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) size_t inputlen = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) struct drbg_string *seed = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) memset(pad, 0, drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) memset(iv, 0, drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) /* 10.4.2 step 1 is implicit as we work byte-wise */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) /* 10.4.2 step 2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) if ((512/8) < bytes_to_return)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) /* 10.4.2 step 2 -- calculate the entire length of all input data */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) list_for_each_entry(seed, seedlist, list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) inputlen += seed->len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) drbg_cpu_to_be32(inputlen, &L_N[0]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) /* 10.4.2 step 3 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) /* wrap the padlen appropriately */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) if (padlen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) padlen = drbg_blocklen(drbg) - padlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) * pad / padlen contains the 0x80 byte and the following zero bytes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) * As the calculated padlen value only covers the number of zero
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) * bytes, this value has to be incremented by one for the 0x80 byte.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) padlen++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) pad[0] = 0x80;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) /* 10.4.2 step 4 -- first fill the linked list and then order it */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) list_add_tail(&S1.list, &bcc_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) drbg_string_fill(&S2, L_N, sizeof(L_N));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) list_add_tail(&S2.list, &bcc_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) list_splice_tail(seedlist, &bcc_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) drbg_string_fill(&S4, pad, padlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) list_add_tail(&S4.list, &bcc_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) /* 10.4.2 step 9 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) * 10.4.2 step 9.1 - the padding is implicit as the buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) * holds zeros after allocation -- even the increment of i
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) * is irrelevant as the increment remains within length of i
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) drbg_cpu_to_be32(i, iv);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) /* 10.4.2 step 9.2 -- BCC and concatenation with temp */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) /* 10.4.2 step 9.3 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) i++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) templen += drbg_blocklen(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) /* 10.4.2 step 11 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) X = temp + (drbg_keylen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) /* 10.4.2 step 12: overwriting of outval is implemented in next step */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) /* 10.4.2 step 13 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) drbg_kcapi_symsetkey(drbg, temp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) while (generated_len < bytes_to_return) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) short blocklen = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) * 10.4.2 step 13.1: the truncation of the key length is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) * implicit as the key is only drbg_blocklen in size based on
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) * the implementation of the cipher function callback
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) ret = drbg_kcapi_sym(drbg, X, &cipherin);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) blocklen = (drbg_blocklen(drbg) <
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) (bytes_to_return - generated_len)) ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) drbg_blocklen(drbg) :
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) (bytes_to_return - generated_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) /* 10.4.2 step 13.2 and 14 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) memcpy(df_data + generated_len, X, blocklen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) generated_len += blocklen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) memset(iv, 0, drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512) memset(pad, 0, drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) * update function of CTR DRBG as defined in 10.2.1.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) * The reseed variable has an enhanced meaning compared to the update
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) * functions of the other DRBGs as follows:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521) * 0 => initial seed from initialization
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) * 1 => reseed via drbg_seed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) * 2 => first invocation from drbg_ctr_update when addtl is present. In
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) * this case, the df_data scratchpad is not deleted so that it is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) * available for another calls to prevent calling the DF function
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) * again.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) * 3 => second invocation from drbg_ctr_update. When the update function
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) * was called with addtl, the df_data memory already contains the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) * DFed addtl information and we do not need to call DF again.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) int reseed)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534) int ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) /* 10.2.1.2 step 1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) unsigned char *temp = drbg->scratchpad;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) drbg_blocklen(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540) if (3 > reseed)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) memset(df_data, 0, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) if (!reseed) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) * The DRBG uses the CTR mode of the underlying AES cipher. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) * CTR mode increments the counter value after the AES operation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) * but SP800-90A requires that the counter is incremented before
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) * the AES operation. Hence, we increment it at the time we set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) * it by one.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) crypto_inc(drbg->V, drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) drbg_keylen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560) if (seed) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) temp, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) /* 10.2.1.2 step 5 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) drbg_keylen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) /* 10.2.1.2 step 6 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) /* See above: increment counter by one to compensate timing of CTR op */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) crypto_inc(drbg->V, drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) if (2 != reseed)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) memset(df_data, 0, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590) * scratchpad use: drbg_ctr_update is called independently from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593) /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) static int drbg_ctr_generate(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) unsigned char *buf, unsigned int buflen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) struct list_head *addtl)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) int len = min_t(int, buflen, INT_MAX);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) /* 10.2.1.5.2 step 2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) if (addtl && !list_empty(addtl)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) ret = drbg_ctr_update(drbg, addtl, 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608) /* 10.2.1.5.2 step 4.1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609) ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) /* 10.2.1.5.2 step 6 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) ret = drbg_ctr_update(drbg, NULL, 3);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616) len = ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618) return len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621) static const struct drbg_state_ops drbg_ctr_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622) .update = drbg_ctr_update,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623) .generate = drbg_ctr_generate,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624) .crypto_init = drbg_init_sym_kernel,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625) .crypto_fini = drbg_fini_sym_kernel,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627) #endif /* CONFIG_CRYPTO_DRBG_CTR */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 629) /******************************************************************
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 630) * HMAC DRBG callback functions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 631) ******************************************************************/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 632)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 633) #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 634) static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 635) const struct list_head *in);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 636) static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 637) const unsigned char *key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 638) static int drbg_init_hash_kernel(struct drbg_state *drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 639) static int drbg_fini_hash_kernel(struct drbg_state *drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 640) #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 641)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 642) #ifdef CONFIG_CRYPTO_DRBG_HMAC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 643) #define CRYPTO_DRBG_HMAC_STRING "HMAC "
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 644) MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 645) MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 646) MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 647) MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 648) MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 649) MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 650) MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 651) MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 652)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 653) /* update function of HMAC DRBG as defined in 10.1.2.2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 654) static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 655) int reseed)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 656) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 657) int ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 658) int i = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 659) struct drbg_string seed1, seed2, vdata;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 660) LIST_HEAD(seedlist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 661) LIST_HEAD(vdatalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 662)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 663) if (!reseed) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 664) /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 665) memset(drbg->V, 1, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 666) drbg_kcapi_hmacsetkey(drbg, drbg->C);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 667) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 668)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 669) drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 670) list_add_tail(&seed1.list, &seedlist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 671) /* buffer of seed2 will be filled in for loop below with one byte */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 672) drbg_string_fill(&seed2, NULL, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 673) list_add_tail(&seed2.list, &seedlist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 674) /* input data of seed is allowed to be NULL at this point */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 675) if (seed)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 676) list_splice_tail(seed, &seedlist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 677)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 678) drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 679) list_add_tail(&vdata.list, &vdatalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 680) for (i = 2; 0 < i; i--) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 681) /* first round uses 0x0, second 0x1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 682) unsigned char prefix = DRBG_PREFIX0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 683) if (1 == i)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 684) prefix = DRBG_PREFIX1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 685) /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 686) seed2.buf = &prefix;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 687) ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 688) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 689) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 690) drbg_kcapi_hmacsetkey(drbg, drbg->C);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 691)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 692) /* 10.1.2.2 step 2 and 5 -- HMAC for V */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 693) ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 694) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 695) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 696)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 697) /* 10.1.2.2 step 3 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 698) if (!seed)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 699) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 700) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 701)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 702) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 703) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 704)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 705) /* generate function of HMAC DRBG as defined in 10.1.2.5 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 706) static int drbg_hmac_generate(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 707) unsigned char *buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 708) unsigned int buflen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 709) struct list_head *addtl)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 710) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 711) int len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 712) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 713) struct drbg_string data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 714) LIST_HEAD(datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 715)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 716) /* 10.1.2.5 step 2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 717) if (addtl && !list_empty(addtl)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 718) ret = drbg_hmac_update(drbg, addtl, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 719) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 720) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 721) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 722)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 723) drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 724) list_add_tail(&data.list, &datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 725) while (len < buflen) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 726) unsigned int outlen = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 727) /* 10.1.2.5 step 4.1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 728) ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 729) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 730) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 731) outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 732) drbg_blocklen(drbg) : (buflen - len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 733)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 734) /* 10.1.2.5 step 4.2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 735) memcpy(buf + len, drbg->V, outlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 736) len += outlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 737) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 738)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 739) /* 10.1.2.5 step 6 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 740) if (addtl && !list_empty(addtl))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 741) ret = drbg_hmac_update(drbg, addtl, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 742) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 743) ret = drbg_hmac_update(drbg, NULL, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 744) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 745) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 746)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 747) return len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 748) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 749)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 750) static const struct drbg_state_ops drbg_hmac_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 751) .update = drbg_hmac_update,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 752) .generate = drbg_hmac_generate,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 753) .crypto_init = drbg_init_hash_kernel,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 754) .crypto_fini = drbg_fini_hash_kernel,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 755) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 756) #endif /* CONFIG_CRYPTO_DRBG_HMAC */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 757)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 758) /******************************************************************
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 759) * Hash DRBG callback functions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 760) ******************************************************************/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 761)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 762) #ifdef CONFIG_CRYPTO_DRBG_HASH
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 763) #define CRYPTO_DRBG_HASH_STRING "HASH "
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 764) MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 765) MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 766) MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 767) MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 768) MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 769) MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 770) MODULE_ALIAS_CRYPTO("drbg_pr_sha1");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 771) MODULE_ALIAS_CRYPTO("drbg_nopr_sha1");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 772)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 773) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 774) * Increment buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 775) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 776) * @dst buffer to increment
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 777) * @add value to add
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 778) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 779) static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 780) const unsigned char *add, size_t addlen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 781) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 782) /* implied: dstlen > addlen */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 783) unsigned char *dstptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 784) const unsigned char *addptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 785) unsigned int remainder = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 786) size_t len = addlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 787)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 788) dstptr = dst + (dstlen-1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 789) addptr = add + (addlen-1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 790) while (len) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 791) remainder += *dstptr + *addptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 792) *dstptr = remainder & 0xff;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 793) remainder >>= 8;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 794) len--; dstptr--; addptr--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 795) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 796) len = dstlen - addlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 797) while (len && remainder > 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 798) remainder = *dstptr + 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 799) *dstptr = remainder & 0xff;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 800) remainder >>= 8;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 801) len--; dstptr--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 802) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 803) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 804)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 805) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 806) * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 807) * interlinked, the scratchpad is used as follows:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 808) * drbg_hash_update
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 809) * start: drbg->scratchpad
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 810) * length: drbg_statelen(drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 811) * drbg_hash_df:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 812) * start: drbg->scratchpad + drbg_statelen(drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 813) * length: drbg_blocklen(drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 814) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 815) * drbg_hash_process_addtl uses the scratchpad, but fully completes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 816) * before either of the functions mentioned before are invoked. Therefore,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 817) * drbg_hash_process_addtl does not need to be specifically considered.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 818) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 819)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 820) /* Derivation Function for Hash DRBG as defined in 10.4.1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 821) static int drbg_hash_df(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 822) unsigned char *outval, size_t outlen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 823) struct list_head *entropylist)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 824) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 825) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 826) size_t len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 827) unsigned char input[5];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 828) unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 829) struct drbg_string data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 830)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 831) /* 10.4.1 step 3 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 832) input[0] = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 833) drbg_cpu_to_be32((outlen * 8), &input[1]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 834)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 835) /* 10.4.1 step 4.1 -- concatenation of data for input into hash */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 836) drbg_string_fill(&data, input, 5);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 837) list_add(&data.list, entropylist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 838)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 839) /* 10.4.1 step 4 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 840) while (len < outlen) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 841) short blocklen = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 842) /* 10.4.1 step 4.1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 843) ret = drbg_kcapi_hash(drbg, tmp, entropylist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 844) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 845) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 846) /* 10.4.1 step 4.2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 847) input[0]++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 848) blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 849) drbg_blocklen(drbg) : (outlen - len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 850) memcpy(outval + len, tmp, blocklen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 851) len += blocklen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 852) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 853)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 854) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 855) memset(tmp, 0, drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 856) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 857) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 858)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 859) /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 860) static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 861) int reseed)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 862) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 863) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 864) struct drbg_string data1, data2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 865) LIST_HEAD(datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 866) LIST_HEAD(datalist2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 867) unsigned char *V = drbg->scratchpad;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 868) unsigned char prefix = DRBG_PREFIX1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 869)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 870) if (!seed)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 871) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 872)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 873) if (reseed) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 874) /* 10.1.1.3 step 1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 875) memcpy(V, drbg->V, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 876) drbg_string_fill(&data1, &prefix, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 877) list_add_tail(&data1.list, &datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 878) drbg_string_fill(&data2, V, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 879) list_add_tail(&data2.list, &datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 880) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 881) list_splice_tail(seed, &datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 882)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 883) /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 884) ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 885) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 886) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 887)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 888) /* 10.1.1.2 / 10.1.1.3 step 4 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 889) prefix = DRBG_PREFIX0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 890) drbg_string_fill(&data1, &prefix, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 891) list_add_tail(&data1.list, &datalist2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 892) drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 893) list_add_tail(&data2.list, &datalist2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 894) /* 10.1.1.2 / 10.1.1.3 step 4 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 895) ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 896)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 897) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 898) memset(drbg->scratchpad, 0, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 899) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 900) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 901)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 902) /* processing of additional information string for Hash DRBG */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 903) static int drbg_hash_process_addtl(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 904) struct list_head *addtl)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 905) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 906) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 907) struct drbg_string data1, data2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 908) LIST_HEAD(datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 909) unsigned char prefix = DRBG_PREFIX2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 910)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 911) /* 10.1.1.4 step 2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 912) if (!addtl || list_empty(addtl))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 913) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 914)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 915) /* 10.1.1.4 step 2a */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 916) drbg_string_fill(&data1, &prefix, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 917) drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 918) list_add_tail(&data1.list, &datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 919) list_add_tail(&data2.list, &datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 920) list_splice_tail(addtl, &datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 921) ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 922) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 923) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 924)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 925) /* 10.1.1.4 step 2b */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 926) drbg_add_buf(drbg->V, drbg_statelen(drbg),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 927) drbg->scratchpad, drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 928)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 929) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 930) memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 931) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 932) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 933)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 934) /* Hashgen defined in 10.1.1.4 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 935) static int drbg_hash_hashgen(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 936) unsigned char *buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 937) unsigned int buflen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 938) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 939) int len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 940) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 941) unsigned char *src = drbg->scratchpad;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 942) unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 943) struct drbg_string data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 944) LIST_HEAD(datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 945)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 946) /* 10.1.1.4 step hashgen 2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 947) memcpy(src, drbg->V, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 948)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 949) drbg_string_fill(&data, src, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 950) list_add_tail(&data.list, &datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 951) while (len < buflen) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 952) unsigned int outlen = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 953) /* 10.1.1.4 step hashgen 4.1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 954) ret = drbg_kcapi_hash(drbg, dst, &datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 955) if (ret) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 956) len = ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 957) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 958) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 959) outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 960) drbg_blocklen(drbg) : (buflen - len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 961) /* 10.1.1.4 step hashgen 4.2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 962) memcpy(buf + len, dst, outlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 963) len += outlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 964) /* 10.1.1.4 hashgen step 4.3 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 965) if (len < buflen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 966) crypto_inc(src, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 967) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 968)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 969) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 970) memset(drbg->scratchpad, 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 971) (drbg_statelen(drbg) + drbg_blocklen(drbg)));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 972) return len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 973) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 974)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 975) /* generate function for Hash DRBG as defined in 10.1.1.4 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 976) static int drbg_hash_generate(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 977) unsigned char *buf, unsigned int buflen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 978) struct list_head *addtl)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 979) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 980) int len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 981) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 982) union {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 983) unsigned char req[8];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 984) __be64 req_int;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 985) } u;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 986) unsigned char prefix = DRBG_PREFIX3;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 987) struct drbg_string data1, data2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 988) LIST_HEAD(datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 989)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 990) /* 10.1.1.4 step 2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 991) ret = drbg_hash_process_addtl(drbg, addtl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 992) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 993) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 994) /* 10.1.1.4 step 3 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 995) len = drbg_hash_hashgen(drbg, buf, buflen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 996)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 997) /* this is the value H as documented in 10.1.1.4 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 998) /* 10.1.1.4 step 4 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 999) drbg_string_fill(&data1, &prefix, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1000) list_add_tail(&data1.list, &datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1001) drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1002) list_add_tail(&data2.list, &datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1003) ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1004) if (ret) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1005) len = ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1006) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1007) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1008)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1009) /* 10.1.1.4 step 5 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1010) drbg_add_buf(drbg->V, drbg_statelen(drbg),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1011) drbg->scratchpad, drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1012) drbg_add_buf(drbg->V, drbg_statelen(drbg),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1013) drbg->C, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1014) u.req_int = cpu_to_be64(drbg->reseed_ctr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1015) drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1016)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1017) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1018) memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1019) return len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1020) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1021)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1022) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1023) * scratchpad usage: as update and generate are used isolated, both
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1024) * can use the scratchpad
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1025) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1026) static const struct drbg_state_ops drbg_hash_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1027) .update = drbg_hash_update,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1028) .generate = drbg_hash_generate,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1029) .crypto_init = drbg_init_hash_kernel,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1030) .crypto_fini = drbg_fini_hash_kernel,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1031) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1032) #endif /* CONFIG_CRYPTO_DRBG_HASH */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1033)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1034) /******************************************************************
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1035) * Functions common for DRBG implementations
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1036) ******************************************************************/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1037)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1038) static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1039) int reseed)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1040) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1041) int ret = drbg->d_ops->update(drbg, seed, reseed);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1042)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1043) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1044) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1045)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1046) drbg->seeded = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1047) /* 10.1.1.2 / 10.1.1.3 step 5 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1048) drbg->reseed_ctr = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1049)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1050) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1051) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1052)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1053) static inline int drbg_get_random_bytes(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1054) unsigned char *entropy,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1055) unsigned int entropylen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1056) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1057) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1058)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1059) do {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1060) get_random_bytes(entropy, entropylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1061) ret = drbg_fips_continuous_test(drbg, entropy);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1062) if (ret && ret != -EAGAIN)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1063) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1064) } while (ret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1065)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1066) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1067) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1068)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1069) static void drbg_async_seed(struct work_struct *work)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1070) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1071) struct drbg_string data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1072) LIST_HEAD(seedlist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1073) struct drbg_state *drbg = container_of(work, struct drbg_state,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1074) seed_work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1075) unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1076) unsigned char entropy[32];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1077) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1078)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1079) BUG_ON(!entropylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1080) BUG_ON(entropylen > sizeof(entropy));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1081)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1082) drbg_string_fill(&data, entropy, entropylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1083) list_add_tail(&data.list, &seedlist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1084)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1085) mutex_lock(&drbg->drbg_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1086)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1087) ret = drbg_get_random_bytes(drbg, entropy, entropylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1088) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1089) goto unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1090)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1091) /* Set seeded to false so that if __drbg_seed fails the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1092) * next generate call will trigger a reseed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1093) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1094) drbg->seeded = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1095)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1096) __drbg_seed(drbg, &seedlist, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1097)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1098) if (drbg->seeded)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1099) drbg->reseed_threshold = drbg_max_requests(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1100)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1101) unlock:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1102) mutex_unlock(&drbg->drbg_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1103)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1104) memzero_explicit(entropy, entropylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1105) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1106)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1107) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1108) * Seeding or reseeding of the DRBG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1109) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1110) * @drbg: DRBG state struct
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1111) * @pers: personalization / additional information buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1112) * @reseed: 0 for initial seed process, 1 for reseeding
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1113) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1114) * return:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1115) * 0 on success
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1116) * error value otherwise
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1117) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1118) static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1119) bool reseed)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1120) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1121) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1122) unsigned char entropy[((32 + 16) * 2)];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1123) unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1124) struct drbg_string data1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1125) LIST_HEAD(seedlist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1126)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1127) /* 9.1 / 9.2 / 9.3.1 step 3 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1128) if (pers && pers->len > (drbg_max_addtl(drbg))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1129) pr_devel("DRBG: personalization string too long %zu\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1130) pers->len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1131) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1132) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1133)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1134) if (list_empty(&drbg->test_data.list)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1135) drbg_string_fill(&data1, drbg->test_data.buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1136) drbg->test_data.len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1137) pr_devel("DRBG: using test entropy\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1138) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1139) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1140) * Gather entropy equal to the security strength of the DRBG.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1141) * With a derivation function, a nonce is required in addition
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1142) * to the entropy. A nonce must be at least 1/2 of the security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1143) * strength of the DRBG in size. Thus, entropy + nonce is 3/2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1144) * of the strength. The consideration of a nonce is only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1145) * applicable during initial seeding.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1146) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1147) BUG_ON(!entropylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1148) if (!reseed)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1149) entropylen = ((entropylen + 1) / 2) * 3;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1150) BUG_ON((entropylen * 2) > sizeof(entropy));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1151)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1152) /* Get seed from in-kernel /dev/urandom */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1153) ret = drbg_get_random_bytes(drbg, entropy, entropylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1154) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1155) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1156)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1157) if (!drbg->jent) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1158) drbg_string_fill(&data1, entropy, entropylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1159) pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1160) entropylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1161) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1162) /* Get seed from Jitter RNG */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1163) ret = crypto_rng_get_bytes(drbg->jent,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1164) entropy + entropylen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1165) entropylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1166) if (ret) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1167) pr_devel("DRBG: jent failed with %d\n", ret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1168)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1169) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1170) * Do not treat the transient failure of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1171) * Jitter RNG as an error that needs to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1172) * reported. The combined number of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1173) * maximum reseed threshold times the maximum
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1174) * number of Jitter RNG transient errors is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1175) * less than the reseed threshold required by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1176) * SP800-90A allowing us to treat the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1177) * transient errors as such.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1178) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1179) * However, we mandate that at least the first
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1180) * seeding operation must succeed with the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1181) * Jitter RNG.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1182) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1183) if (!reseed || ret != -EAGAIN)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1184) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1185) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1186)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1187) drbg_string_fill(&data1, entropy, entropylen * 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1188) pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1189) entropylen * 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1190) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1191) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1192) list_add_tail(&data1.list, &seedlist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1193)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1194) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1195) * concatenation of entropy with personalization str / addtl input)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1196) * the variable pers is directly handed in by the caller, so check its
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1197) * contents whether it is appropriate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1198) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1199) if (pers && pers->buf && 0 < pers->len) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1200) list_add_tail(&pers->list, &seedlist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1201) pr_devel("DRBG: using personalization string\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1202) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1203)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1204) if (!reseed) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1205) memset(drbg->V, 0, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1206) memset(drbg->C, 0, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1207) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1208)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1209) ret = __drbg_seed(drbg, &seedlist, reseed);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1210)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1211) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1212) memzero_explicit(entropy, entropylen * 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1213)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1214) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1215) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1216)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1217) /* Free all substructures in a DRBG state without the DRBG state structure */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1218) static inline void drbg_dealloc_state(struct drbg_state *drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1219) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1220) if (!drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1221) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1222) kfree_sensitive(drbg->Vbuf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1223) drbg->Vbuf = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1224) drbg->V = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1225) kfree_sensitive(drbg->Cbuf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1226) drbg->Cbuf = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1227) drbg->C = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1228) kfree_sensitive(drbg->scratchpadbuf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1229) drbg->scratchpadbuf = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1230) drbg->reseed_ctr = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1231) drbg->d_ops = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1232) drbg->core = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1233) if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1234) kfree_sensitive(drbg->prev);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1235) drbg->prev = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1236) drbg->fips_primed = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1237) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1238) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1239)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1240) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1241) * Allocate all sub-structures for a DRBG state.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1242) * The DRBG state structure must already be allocated.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1243) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1244) static inline int drbg_alloc_state(struct drbg_state *drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1245) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1246) int ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1247) unsigned int sb_size = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1248)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1249) switch (drbg->core->flags & DRBG_TYPE_MASK) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1250) #ifdef CONFIG_CRYPTO_DRBG_HMAC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1251) case DRBG_HMAC:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1252) drbg->d_ops = &drbg_hmac_ops;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1253) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1254) #endif /* CONFIG_CRYPTO_DRBG_HMAC */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1255) #ifdef CONFIG_CRYPTO_DRBG_HASH
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1256) case DRBG_HASH:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1257) drbg->d_ops = &drbg_hash_ops;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1258) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1259) #endif /* CONFIG_CRYPTO_DRBG_HASH */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1260) #ifdef CONFIG_CRYPTO_DRBG_CTR
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1261) case DRBG_CTR:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1262) drbg->d_ops = &drbg_ctr_ops;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1263) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1264) #endif /* CONFIG_CRYPTO_DRBG_CTR */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1265) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1266) ret = -EOPNOTSUPP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1267) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1268) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1269)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1270) ret = drbg->d_ops->crypto_init(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1271) if (ret < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1272) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1273)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1274) drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1275) if (!drbg->Vbuf) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1276) ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1277) goto fini;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1278) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1279) drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1280) drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1281) if (!drbg->Cbuf) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1282) ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1283) goto fini;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1284) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1285) drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1286) /* scratchpad is only generated for CTR and Hash */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1287) if (drbg->core->flags & DRBG_HMAC)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1288) sb_size = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1289) else if (drbg->core->flags & DRBG_CTR)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1290) sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1291) drbg_statelen(drbg) + /* df_data */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1292) drbg_blocklen(drbg) + /* pad */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1293) drbg_blocklen(drbg) + /* iv */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1294) drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1295) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1296) sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1297)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1298) if (0 < sb_size) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1299) drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1300) if (!drbg->scratchpadbuf) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1301) ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1302) goto fini;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1303) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1304) drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1305) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1306)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1307) if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1308) drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1309) GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1310) if (!drbg->prev) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1311) ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1312) goto fini;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1313) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1314) drbg->fips_primed = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1315) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1316)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1317) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1318)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1319) fini:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1320) drbg->d_ops->crypto_fini(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1321) err:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1322) drbg_dealloc_state(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1323) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1324) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1325)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1326) /*************************************************************************
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1327) * DRBG interface functions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1328) *************************************************************************/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1329)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1330) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1331) * DRBG generate function as required by SP800-90A - this function
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1332) * generates random numbers
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1333) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1334) * @drbg DRBG state handle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1335) * @buf Buffer where to store the random numbers -- the buffer must already
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1336) * be pre-allocated by caller
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1337) * @buflen Length of output buffer - this value defines the number of random
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1338) * bytes pulled from DRBG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1339) * @addtl Additional input that is mixed into state, may be NULL -- note
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1340) * the entropy is pulled by the DRBG internally unconditionally
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1341) * as defined in SP800-90A. The additional input is mixed into
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1342) * the state in addition to the pulled entropy.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1343) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1344) * return: 0 when all bytes are generated; < 0 in case of an error
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1345) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1346) static int drbg_generate(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1347) unsigned char *buf, unsigned int buflen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1348) struct drbg_string *addtl)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1349) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1350) int len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1351) LIST_HEAD(addtllist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1352)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1353) if (!drbg->core) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1354) pr_devel("DRBG: not yet seeded\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1355) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1356) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1357) if (0 == buflen || !buf) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1358) pr_devel("DRBG: no output buffer provided\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1359) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1360) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1361) if (addtl && NULL == addtl->buf && 0 < addtl->len) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1362) pr_devel("DRBG: wrong format of additional information\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1363) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1364) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1365)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1366) /* 9.3.1 step 2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1367) len = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1368) if (buflen > (drbg_max_request_bytes(drbg))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1369) pr_devel("DRBG: requested random numbers too large %u\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1370) buflen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1371) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1372) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1373)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1374) /* 9.3.1 step 3 is implicit with the chosen DRBG */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1375)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1376) /* 9.3.1 step 4 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1377) if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1378) pr_devel("DRBG: additional information string too long %zu\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1379) addtl->len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1380) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1381) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1382) /* 9.3.1 step 5 is implicit with the chosen DRBG */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1383)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1384) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1385) * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1386) * here. The spec is a bit convoluted here, we make it simpler.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1387) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1388) if (drbg->reseed_threshold < drbg->reseed_ctr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1389) drbg->seeded = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1390)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1391) if (drbg->pr || !drbg->seeded) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1392) pr_devel("DRBG: reseeding before generation (prediction "
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1393) "resistance: %s, state %s)\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1394) drbg->pr ? "true" : "false",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1395) drbg->seeded ? "seeded" : "unseeded");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1396) /* 9.3.1 steps 7.1 through 7.3 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1397) len = drbg_seed(drbg, addtl, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1398) if (len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1399) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1400) /* 9.3.1 step 7.4 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1401) addtl = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1402) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1403)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1404) if (addtl && 0 < addtl->len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1405) list_add_tail(&addtl->list, &addtllist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1406) /* 9.3.1 step 8 and 10 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1407) len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1408)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1409) /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1410) drbg->reseed_ctr++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1411) if (0 >= len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1412) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1413)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1414) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1415) * Section 11.3.3 requires to re-perform self tests after some
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1416) * generated random numbers. The chosen value after which self
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1417) * test is performed is arbitrary, but it should be reasonable.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1418) * However, we do not perform the self tests because of the following
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1419) * reasons: it is mathematically impossible that the initial self tests
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1420) * were successfully and the following are not. If the initial would
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1421) * pass and the following would not, the kernel integrity is violated.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1422) * In this case, the entire kernel operation is questionable and it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1423) * is unlikely that the integrity violation only affects the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1424) * correct operation of the DRBG.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1425) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1426) * Albeit the following code is commented out, it is provided in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1427) * case somebody has a need to implement the test of 11.3.3.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1428) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1429) #if 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1430) if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1431) int err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1432) pr_devel("DRBG: start to perform self test\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1433) if (drbg->core->flags & DRBG_HMAC)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1434) err = alg_test("drbg_pr_hmac_sha256",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1435) "drbg_pr_hmac_sha256", 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1436) else if (drbg->core->flags & DRBG_CTR)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1437) err = alg_test("drbg_pr_ctr_aes128",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1438) "drbg_pr_ctr_aes128", 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1439) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1440) err = alg_test("drbg_pr_sha256",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1441) "drbg_pr_sha256", 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1442) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1443) pr_err("DRBG: periodical self test failed\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1444) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1445) * uninstantiate implies that from now on, only errors
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1446) * are returned when reusing this DRBG cipher handle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1447) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1448) drbg_uninstantiate(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1449) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1450) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1451) pr_devel("DRBG: self test successful\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1452) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1453) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1454) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1455)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1456) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1457) * All operations were successful, return 0 as mandated by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1458) * the kernel crypto API interface.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1459) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1460) len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1461) err:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1462) return len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1463) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1464)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1465) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1466) * Wrapper around drbg_generate which can pull arbitrary long strings
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1467) * from the DRBG without hitting the maximum request limitation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1468) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1469) * Parameters: see drbg_generate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1470) * Return codes: see drbg_generate -- if one drbg_generate request fails,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1471) * the entire drbg_generate_long request fails
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1472) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1473) static int drbg_generate_long(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1474) unsigned char *buf, unsigned int buflen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1475) struct drbg_string *addtl)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1476) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1477) unsigned int len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1478) unsigned int slice = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1479) do {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1480) int err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1481) unsigned int chunk = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1482) slice = ((buflen - len) / drbg_max_request_bytes(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1483) chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1484) mutex_lock(&drbg->drbg_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1485) err = drbg_generate(drbg, buf + len, chunk, addtl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1486) mutex_unlock(&drbg->drbg_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1487) if (0 > err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1488) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1489) len += chunk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1490) } while (slice > 0 && (len < buflen));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1491) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1492) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1493)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1494) static void drbg_schedule_async_seed(struct random_ready_callback *rdy)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1495) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1496) struct drbg_state *drbg = container_of(rdy, struct drbg_state,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1497) random_ready);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1498)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1499) schedule_work(&drbg->seed_work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1500) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1501)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1502) static int drbg_prepare_hrng(struct drbg_state *drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1503) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1504) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1505)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1506) /* We do not need an HRNG in test mode. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1507) if (list_empty(&drbg->test_data.list))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1508) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1509)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1510) drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1511)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1512) INIT_WORK(&drbg->seed_work, drbg_async_seed);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1513)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1514) drbg->random_ready.owner = THIS_MODULE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1515) drbg->random_ready.func = drbg_schedule_async_seed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1516)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1517) err = add_random_ready_callback(&drbg->random_ready);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1518)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1519) switch (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1520) case 0:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1521) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1522)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1523) case -EALREADY:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1524) err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1525) fallthrough;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1526)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1527) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1528) drbg->random_ready.func = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1529) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1530) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1531)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1532) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1533) * Require frequent reseeds until the seed source is fully
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1534) * initialized.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1535) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1536) drbg->reseed_threshold = 50;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1537)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1538) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1539) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1540)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1541) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1542) * DRBG instantiation function as required by SP800-90A - this function
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1543) * sets up the DRBG handle, performs the initial seeding and all sanity
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1544) * checks required by SP800-90A
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1545) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1546) * @drbg memory of state -- if NULL, new memory is allocated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1547) * @pers Personalization string that is mixed into state, may be NULL -- note
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1548) * the entropy is pulled by the DRBG internally unconditionally
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1549) * as defined in SP800-90A. The additional input is mixed into
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1550) * the state in addition to the pulled entropy.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1551) * @coreref reference to core
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1552) * @pr prediction resistance enabled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1553) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1554) * return
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1555) * 0 on success
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1556) * error value otherwise
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1557) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1558) static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1559) int coreref, bool pr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1560) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1561) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1562) bool reseed = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1563)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1564) pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1565) "%s\n", coreref, pr ? "enabled" : "disabled");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1566) mutex_lock(&drbg->drbg_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1567)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1568) /* 9.1 step 1 is implicit with the selected DRBG type */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1569)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1570) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1571) * 9.1 step 2 is implicit as caller can select prediction resistance
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1572) * and the flag is copied into drbg->flags --
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1573) * all DRBG types support prediction resistance
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1574) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1575)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1576) /* 9.1 step 4 is implicit in drbg_sec_strength */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1577)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1578) if (!drbg->core) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1579) drbg->core = &drbg_cores[coreref];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1580) drbg->pr = pr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1581) drbg->seeded = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1582) drbg->reseed_threshold = drbg_max_requests(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1583)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1584) ret = drbg_alloc_state(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1585) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1586) goto unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1587)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1588) ret = drbg_prepare_hrng(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1589) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1590) goto free_everything;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1591)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1592) if (IS_ERR(drbg->jent)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1593) ret = PTR_ERR(drbg->jent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1594) drbg->jent = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1595) if (fips_enabled || ret != -ENOENT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1596) goto free_everything;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1597) pr_info("DRBG: Continuing without Jitter RNG\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1598) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1599)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1600) reseed = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1601) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1602)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1603) ret = drbg_seed(drbg, pers, reseed);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1604)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1605) if (ret && !reseed)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1606) goto free_everything;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1607)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1608) mutex_unlock(&drbg->drbg_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1609) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1610)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1611) unlock:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1612) mutex_unlock(&drbg->drbg_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1613) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1614)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1615) free_everything:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1616) mutex_unlock(&drbg->drbg_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1617) drbg_uninstantiate(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1618) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1619) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1620)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1621) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1622) * DRBG uninstantiate function as required by SP800-90A - this function
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1623) * frees all buffers and the DRBG handle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1624) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1625) * @drbg DRBG state handle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1626) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1627) * return
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1628) * 0 on success
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1629) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1630) static int drbg_uninstantiate(struct drbg_state *drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1631) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1632) if (drbg->random_ready.func) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1633) del_random_ready_callback(&drbg->random_ready);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1634) cancel_work_sync(&drbg->seed_work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1635) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1636)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1637) if (!IS_ERR_OR_NULL(drbg->jent))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1638) crypto_free_rng(drbg->jent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1639) drbg->jent = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1640)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1641) if (drbg->d_ops)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1642) drbg->d_ops->crypto_fini(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1643) drbg_dealloc_state(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1644) /* no scrubbing of test_data -- this shall survive an uninstantiate */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1645) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1646) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1647)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1648) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1649) * Helper function for setting the test data in the DRBG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1650) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1651) * @drbg DRBG state handle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1652) * @data test data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1653) * @len test data length
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1654) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1655) static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1656) const u8 *data, unsigned int len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1657) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1658) struct drbg_state *drbg = crypto_rng_ctx(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1659)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1660) mutex_lock(&drbg->drbg_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1661) drbg_string_fill(&drbg->test_data, data, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1662) mutex_unlock(&drbg->drbg_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1663) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1664)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1665) /***************************************************************
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1666) * Kernel crypto API cipher invocations requested by DRBG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1667) ***************************************************************/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1668)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1669) #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1670) struct sdesc {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1671) struct shash_desc shash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1672) char ctx[];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1673) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1674)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1675) static int drbg_init_hash_kernel(struct drbg_state *drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1676) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1677) struct sdesc *sdesc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1678) struct crypto_shash *tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1679)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1680) tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1681) if (IS_ERR(tfm)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1682) pr_info("DRBG: could not allocate digest TFM handle: %s\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1683) drbg->core->backend_cra_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1684) return PTR_ERR(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1685) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1686) BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1687) sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1688) GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1689) if (!sdesc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1690) crypto_free_shash(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1691) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1692) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1693)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1694) sdesc->shash.tfm = tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1695) drbg->priv_data = sdesc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1696)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1697) return crypto_shash_alignmask(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1698) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1699)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1700) static int drbg_fini_hash_kernel(struct drbg_state *drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1701) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1702) struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1703) if (sdesc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1704) crypto_free_shash(sdesc->shash.tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1705) kfree_sensitive(sdesc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1706) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1707) drbg->priv_data = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1708) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1709) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1710)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1711) static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1712) const unsigned char *key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1713) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1714) struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1715)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1716) crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1717) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1718)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1719) static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1720) const struct list_head *in)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1721) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1722) struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1723) struct drbg_string *input = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1724)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1725) crypto_shash_init(&sdesc->shash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1726) list_for_each_entry(input, in, list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1727) crypto_shash_update(&sdesc->shash, input->buf, input->len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1728) return crypto_shash_final(&sdesc->shash, outval);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1729) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1730) #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1731)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1732) #ifdef CONFIG_CRYPTO_DRBG_CTR
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1733) static int drbg_fini_sym_kernel(struct drbg_state *drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1734) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1735) struct crypto_cipher *tfm =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1736) (struct crypto_cipher *)drbg->priv_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1737) if (tfm)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1738) crypto_free_cipher(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1739) drbg->priv_data = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1740)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1741) if (drbg->ctr_handle)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1742) crypto_free_skcipher(drbg->ctr_handle);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1743) drbg->ctr_handle = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1744)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1745) if (drbg->ctr_req)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1746) skcipher_request_free(drbg->ctr_req);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1747) drbg->ctr_req = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1748)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1749) kfree(drbg->outscratchpadbuf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1750) drbg->outscratchpadbuf = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1751)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1752) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1753) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1754)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1755) static int drbg_init_sym_kernel(struct drbg_state *drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1756) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1757) struct crypto_cipher *tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1758) struct crypto_skcipher *sk_tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1759) struct skcipher_request *req;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1760) unsigned int alignmask;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1761) char ctr_name[CRYPTO_MAX_ALG_NAME];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1762)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1763) tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1764) if (IS_ERR(tfm)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1765) pr_info("DRBG: could not allocate cipher TFM handle: %s\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1766) drbg->core->backend_cra_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1767) return PTR_ERR(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1768) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1769) BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1770) drbg->priv_data = tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1771)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1772) if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1773) drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1774) drbg_fini_sym_kernel(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1775) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1776) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1777) sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1778) if (IS_ERR(sk_tfm)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1779) pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1780) ctr_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1781) drbg_fini_sym_kernel(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1782) return PTR_ERR(sk_tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1783) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1784) drbg->ctr_handle = sk_tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1785) crypto_init_wait(&drbg->ctr_wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1786)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1787) req = skcipher_request_alloc(sk_tfm, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1788) if (!req) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1789) pr_info("DRBG: could not allocate request queue\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1790) drbg_fini_sym_kernel(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1791) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1792) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1793) drbg->ctr_req = req;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1794) skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1795) CRYPTO_TFM_REQ_MAY_SLEEP,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1796) crypto_req_done, &drbg->ctr_wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1797)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1798) alignmask = crypto_skcipher_alignmask(sk_tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1799) drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1800) GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1801) if (!drbg->outscratchpadbuf) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1802) drbg_fini_sym_kernel(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1803) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1804) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1805) drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1806) alignmask + 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1807)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1808) sg_init_table(&drbg->sg_in, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1809) sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1810)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1811) return alignmask;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1812) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1813)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1814) static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1815) const unsigned char *key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1816) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1817) struct crypto_cipher *tfm =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1818) (struct crypto_cipher *)drbg->priv_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1819)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1820) crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg)));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1821) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1822)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1823) static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1824) const struct drbg_string *in)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1825) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1826) struct crypto_cipher *tfm =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1827) (struct crypto_cipher *)drbg->priv_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1828)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1829) /* there is only component in *in */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1830) BUG_ON(in->len < drbg_blocklen(drbg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1831) crypto_cipher_encrypt_one(tfm, outval, in->buf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1832) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1833) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1834)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1835) static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1836) u8 *inbuf, u32 inlen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1837) u8 *outbuf, u32 outlen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1838) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1839) struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1840) u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1841) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1842)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1843) if (inbuf) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1844) /* Use caller-provided input buffer */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1845) sg_set_buf(sg_in, inbuf, inlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1846) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1847) /* Use scratchpad for in-place operation */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1848) inlen = scratchpad_use;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1849) memset(drbg->outscratchpad, 0, scratchpad_use);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1850) sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1851) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1852)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1853) while (outlen) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1854) u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1855)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1856) /* Output buffer may not be valid for SGL, use scratchpad */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1857) skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1858) cryptlen, drbg->V);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1859) ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1860) &drbg->ctr_wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1861) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1862) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1863)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1864) crypto_init_wait(&drbg->ctr_wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1865)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1866) memcpy(outbuf, drbg->outscratchpad, cryptlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1867) memzero_explicit(drbg->outscratchpad, cryptlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1868)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1869) outlen -= cryptlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1870) outbuf += cryptlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1871) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1872) ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1873)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1874) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1875) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1876) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1877) #endif /* CONFIG_CRYPTO_DRBG_CTR */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1878)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1879) /***************************************************************
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1880) * Kernel crypto API interface to register DRBG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1881) ***************************************************************/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1882)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1883) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1884) * Look up the DRBG flags by given kernel crypto API cra_name
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1885) * The code uses the drbg_cores definition to do this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1886) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1887) * @cra_name kernel crypto API cra_name
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1888) * @coreref reference to integer which is filled with the pointer to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1889) * the applicable core
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1890) * @pr reference for setting prediction resistance
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1891) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1892) * return: flags
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1893) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1894) static inline void drbg_convert_tfm_core(const char *cra_driver_name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1895) int *coreref, bool *pr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1896) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1897) int i = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1898) size_t start = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1899) int len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1900)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1901) *pr = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1902) /* disassemble the names */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1903) if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1904) start = 10;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1905) *pr = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1906) } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1907) start = 8;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1908) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1909) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1910) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1911)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1912) /* remove the first part */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1913) len = strlen(cra_driver_name) - start;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1914) for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1915) if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1916) len)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1917) *coreref = i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1918) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1919) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1920) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1921) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1922)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1923) static int drbg_kcapi_init(struct crypto_tfm *tfm)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1924) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1925) struct drbg_state *drbg = crypto_tfm_ctx(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1926)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1927) mutex_init(&drbg->drbg_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1928)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1929) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1930) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1931)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1932) static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1933) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1934) drbg_uninstantiate(crypto_tfm_ctx(tfm));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1935) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1936)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1937) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1938) * Generate random numbers invoked by the kernel crypto API:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1939) * The API of the kernel crypto API is extended as follows:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1940) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1941) * src is additional input supplied to the RNG.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1942) * slen is the length of src.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1943) * dst is the output buffer where random data is to be stored.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1944) * dlen is the length of dst.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1945) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1946) static int drbg_kcapi_random(struct crypto_rng *tfm,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1947) const u8 *src, unsigned int slen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1948) u8 *dst, unsigned int dlen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1949) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1950) struct drbg_state *drbg = crypto_rng_ctx(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1951) struct drbg_string *addtl = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1952) struct drbg_string string;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1953)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1954) if (slen) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1955) /* linked list variable is now local to allow modification */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1956) drbg_string_fill(&string, src, slen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1957) addtl = &string;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1958) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1959)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1960) return drbg_generate_long(drbg, dst, dlen, addtl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1961) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1962)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1963) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1964) * Seed the DRBG invoked by the kernel crypto API
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1965) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1966) static int drbg_kcapi_seed(struct crypto_rng *tfm,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1967) const u8 *seed, unsigned int slen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1968) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1969) struct drbg_state *drbg = crypto_rng_ctx(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1970) struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1971) bool pr = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1972) struct drbg_string string;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1973) struct drbg_string *seed_string = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1974) int coreref = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1975)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1976) drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1977) &pr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1978) if (0 < slen) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1979) drbg_string_fill(&string, seed, slen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1980) seed_string = &string;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1981) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1982)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1983) return drbg_instantiate(drbg, seed_string, coreref, pr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1984) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1985)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1986) /***************************************************************
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1987) * Kernel module: code to load the module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1988) ***************************************************************/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1989)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1990) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1991) * Tests as defined in 11.3.2 in addition to the cipher tests: testing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1992) * of the error handling.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1993) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1994) * Note: testing of failing seed source as defined in 11.3.2 is not applicable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1995) * as seed source of get_random_bytes does not fail.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1996) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1997) * Note 2: There is no sensible way of testing the reseed counter
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1998) * enforcement, so skip it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1999) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2000) static inline int __init drbg_healthcheck_sanity(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2001) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2002) int len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2003) #define OUTBUFLEN 16
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2004) unsigned char buf[OUTBUFLEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2005) struct drbg_state *drbg = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2006) int ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2007) int rc = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2008) bool pr = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2009) int coreref = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2010) struct drbg_string addtl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2011) size_t max_addtllen, max_request_bytes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2012)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2013) /* only perform test in FIPS mode */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2014) if (!fips_enabled)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2015) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2016)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2017) #ifdef CONFIG_CRYPTO_DRBG_CTR
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2018) drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2019) #elif defined CONFIG_CRYPTO_DRBG_HASH
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2020) drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2021) #else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2022) drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2023) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2024)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2025) drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2026) if (!drbg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2027) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2028)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2029) mutex_init(&drbg->drbg_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2030) drbg->core = &drbg_cores[coreref];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2031) drbg->reseed_threshold = drbg_max_requests(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2032)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2033) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2034) * if the following tests fail, it is likely that there is a buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2035) * overflow as buf is much smaller than the requested or provided
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2036) * string lengths -- in case the error handling does not succeed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2037) * we may get an OOPS. And we want to get an OOPS as this is a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2038) * grave bug.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2039) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2040)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2041) max_addtllen = drbg_max_addtl(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2042) max_request_bytes = drbg_max_request_bytes(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2043) drbg_string_fill(&addtl, buf, max_addtllen + 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2044) /* overflow addtllen with additonal info string */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2045) len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2046) BUG_ON(0 < len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2047) /* overflow max_bits */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2048) len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2049) BUG_ON(0 < len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2050)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2051) /* overflow max addtllen with personalization string */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2052) ret = drbg_seed(drbg, &addtl, false);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2053) BUG_ON(0 == ret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2054) /* all tests passed */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2055) rc = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2056)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2057) pr_devel("DRBG: Sanity tests for failure code paths successfully "
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2058) "completed\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2059)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2060) kfree(drbg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2061) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2062) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2063)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2064) static struct rng_alg drbg_algs[22];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2065)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2066) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2067) * Fill the array drbg_algs used to register the different DRBGs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2068) * with the kernel crypto API. To fill the array, the information
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2069) * from drbg_cores[] is used.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2070) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2071) static inline void __init drbg_fill_array(struct rng_alg *alg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2072) const struct drbg_core *core, int pr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2073) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2074) int pos = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2075) static int priority = 200;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2076)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2077) memcpy(alg->base.cra_name, "stdrng", 6);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2078) if (pr) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2079) memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2080) pos = 8;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2081) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2082) memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2083) pos = 10;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2084) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2085) memcpy(alg->base.cra_driver_name + pos, core->cra_name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2086) strlen(core->cra_name));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2087)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2088) alg->base.cra_priority = priority;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2089) priority++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2090) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2091) * If FIPS mode enabled, the selected DRBG shall have the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2092) * highest cra_priority over other stdrng instances to ensure
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2093) * it is selected.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2094) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2095) if (fips_enabled)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2096) alg->base.cra_priority += 200;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2097)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2098) alg->base.cra_ctxsize = sizeof(struct drbg_state);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2099) alg->base.cra_module = THIS_MODULE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2100) alg->base.cra_init = drbg_kcapi_init;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2101) alg->base.cra_exit = drbg_kcapi_cleanup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2102) alg->generate = drbg_kcapi_random;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2103) alg->seed = drbg_kcapi_seed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2104) alg->set_ent = drbg_kcapi_set_entropy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2105) alg->seedsize = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2106) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2107)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2108) static int __init drbg_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2109) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2110) unsigned int i = 0; /* pointer to drbg_algs */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2111) unsigned int j = 0; /* pointer to drbg_cores */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2112) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2113)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2114) ret = drbg_healthcheck_sanity();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2115) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2116) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2117)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2118) if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2119) pr_info("DRBG: Cannot register all DRBG types"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2120) "(slots needed: %zu, slots available: %zu)\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2121) ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2122) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2123) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2124)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2125) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2126) * each DRBG definition can be used with PR and without PR, thus
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2127) * we instantiate each DRBG in drbg_cores[] twice.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2128) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2129) * As the order of placing them into the drbg_algs array matters
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2130) * (the later DRBGs receive a higher cra_priority) we register the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2131) * prediction resistance DRBGs first as the should not be too
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2132) * interesting.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2133) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2134) for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2135) drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2136) for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2137) drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2138) return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2139) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2140)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2141) static void __exit drbg_exit(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2142) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2143) crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2144) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2145)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2146) subsys_initcall(drbg_init);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2147) module_exit(drbg_exit);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2148) #ifndef CRYPTO_DRBG_HASH_STRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2149) #define CRYPTO_DRBG_HASH_STRING ""
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2150) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2151) #ifndef CRYPTO_DRBG_HMAC_STRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2152) #define CRYPTO_DRBG_HMAC_STRING ""
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2153) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2154) #ifndef CRYPTO_DRBG_CTR_STRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2155) #define CRYPTO_DRBG_CTR_STRING ""
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2156) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2157) MODULE_LICENSE("GPL");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2158) MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2159) MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2160) "using following cores: "
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2161) CRYPTO_DRBG_HASH_STRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2162) CRYPTO_DRBG_HMAC_STRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2163) CRYPTO_DRBG_CTR_STRING);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2164) MODULE_ALIAS_CRYPTO("stdrng");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2165) MODULE_IMPORT_NS(CRYPTO_INTERNAL);
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags