crypto/drbg.c at 4e5591c2fc1b30f4ea5e2eab4c3a695acc404e39

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / crypto / drbg.c
at 4e5591c2fc1b30f4ea5e2eab4c3a695acc404e39 1904 lines 54 kB view raw
wrap content
   1/*
   2 * DRBG: Deterministic Random Bits Generator
   3 *       Based on NIST Recommended DRBG from NIST SP800-90A with the following
   4 *       properties:
   5 *		* CTR DRBG with DF with AES-128, AES-192, AES-256 cores
   6 *		* Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
   7 *		* HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
   8 *		* with and without prediction resistance
   9 *
  10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014
  11 *
  12 * Redistribution and use in source and binary forms, with or without
  13 * modification, are permitted provided that the following conditions
  14 * are met:
  15 * 1. Redistributions of source code must retain the above copyright
  16 *    notice, and the entire permission notice in its entirety,
  17 *    including the disclaimer of warranties.
  18 * 2. Redistributions in binary form must reproduce the above copyright
  19 *    notice, this list of conditions and the following disclaimer in the
  20 *    documentation and/or other materials provided with the distribution.
  21 * 3. The name of the author may not be used to endorse or promote
  22 *    products derived from this software without specific prior
  23 *    written permission.
  24 *
  25 * ALTERNATIVELY, this product may be distributed under the terms of
  26 * the GNU General Public License, in which case the provisions of the GPL are
  27 * required INSTEAD OF the above restrictions.  (This clause is
  28 * necessary due to a potential bad interaction between the GPL and
  29 * the restrictions contained in a BSD-style copyright.)
  30 *
  31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
  32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
  34 * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
  35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
  37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
  38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
  41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
  42 * DAMAGE.
  43 *
  44 * DRBG Usage
  45 * ==========
  46 * The SP 800-90A DRBG allows the user to specify a personalization string
  47 * for initialization as well as an additional information string for each
  48 * random number request. The following code fragments show how a caller
  49 * uses the kernel crypto API to use the full functionality of the DRBG.
  50 *
  51 * Usage without any additional data
  52 * ---------------------------------
  53 * struct crypto_rng *drng;
  54 * int err;
  55 * char data[DATALEN];
  56 *
  57 * drng = crypto_alloc_rng(drng_name, 0, 0);
  58 * err = crypto_rng_get_bytes(drng, &data, DATALEN);
  59 * crypto_free_rng(drng);
  60 *
  61 *
  62 * Usage with personalization string during initialization
  63 * -------------------------------------------------------
  64 * struct crypto_rng *drng;
  65 * int err;
  66 * char data[DATALEN];
  67 * struct drbg_string pers;
  68 * char personalization[11] = "some-string";
  69 *
  70 * drbg_string_fill(&pers, personalization, strlen(personalization));
  71 * drng = crypto_alloc_rng(drng_name, 0, 0);
  72 * // The reset completely re-initializes the DRBG with the provided
  73 * // personalization string
  74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization));
  75 * err = crypto_rng_get_bytes(drng, &data, DATALEN);
  76 * crypto_free_rng(drng);
  77 *
  78 *
  79 * Usage with additional information string during random number request
  80 * ---------------------------------------------------------------------
  81 * struct crypto_rng *drng;
  82 * int err;
  83 * char data[DATALEN];
  84 * char addtl_string[11] = "some-string";
  85 * string drbg_string addtl;
  86 *
  87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
  88 * drng = crypto_alloc_rng(drng_name, 0, 0);
  89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns
  90 * // the same error codes.
  91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl);
  92 * crypto_free_rng(drng);
  93 *
  94 *
  95 * Usage with personalization and additional information strings
  96 * -------------------------------------------------------------
  97 * Just mix both scenarios above.
  98 */
  99
 100#include <crypto/drbg.h>
 101#include <crypto/df_sp80090a.h>
 102#include <crypto/internal/cipher.h>
 103#include <linux/kernel.h>
 104#include <linux/jiffies.h>
 105#include <linux/string_choices.h>
 106
 107/***************************************************************
 108 * Backend cipher definitions available to DRBG
 109 ***************************************************************/
 110
 111/*
 112 * The order of the DRBG definitions here matter: every DRBG is registered
 113 * as stdrng. Each DRBG receives an increasing cra_priority values the later
 114 * they are defined in this array (see drbg_fill_array).
 115 *
 116 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the
 117 * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the
 118 * favored DRBGs are the latest entries in this array.
 119 */
 120static const struct drbg_core drbg_cores[] = {
 121#ifdef CONFIG_CRYPTO_DRBG_CTR
 122	{
 123		.flags = DRBG_CTR | DRBG_STRENGTH128,
 124		.statelen = 32, /* 256 bits as defined in 10.2.1 */
 125		.blocklen_bytes = 16,
 126		.cra_name = "ctr_aes128",
 127		.backend_cra_name = "aes",
 128	}, {
 129		.flags = DRBG_CTR | DRBG_STRENGTH192,
 130		.statelen = 40, /* 320 bits as defined in 10.2.1 */
 131		.blocklen_bytes = 16,
 132		.cra_name = "ctr_aes192",
 133		.backend_cra_name = "aes",
 134	}, {
 135		.flags = DRBG_CTR | DRBG_STRENGTH256,
 136		.statelen = 48, /* 384 bits as defined in 10.2.1 */
 137		.blocklen_bytes = 16,
 138		.cra_name = "ctr_aes256",
 139		.backend_cra_name = "aes",
 140	},
 141#endif /* CONFIG_CRYPTO_DRBG_CTR */
 142#ifdef CONFIG_CRYPTO_DRBG_HASH
 143	{
 144		.flags = DRBG_HASH | DRBG_STRENGTH256,
 145		.statelen = 111, /* 888 bits */
 146		.blocklen_bytes = 48,
 147		.cra_name = "sha384",
 148		.backend_cra_name = "sha384",
 149	}, {
 150		.flags = DRBG_HASH | DRBG_STRENGTH256,
 151		.statelen = 111, /* 888 bits */
 152		.blocklen_bytes = 64,
 153		.cra_name = "sha512",
 154		.backend_cra_name = "sha512",
 155	}, {
 156		.flags = DRBG_HASH | DRBG_STRENGTH256,
 157		.statelen = 55, /* 440 bits */
 158		.blocklen_bytes = 32,
 159		.cra_name = "sha256",
 160		.backend_cra_name = "sha256",
 161	},
 162#endif /* CONFIG_CRYPTO_DRBG_HASH */
 163#ifdef CONFIG_CRYPTO_DRBG_HMAC
 164	{
 165		.flags = DRBG_HMAC | DRBG_STRENGTH256,
 166		.statelen = 48, /* block length of cipher */
 167		.blocklen_bytes = 48,
 168		.cra_name = "hmac_sha384",
 169		.backend_cra_name = "hmac(sha384)",
 170	}, {
 171		.flags = DRBG_HMAC | DRBG_STRENGTH256,
 172		.statelen = 32, /* block length of cipher */
 173		.blocklen_bytes = 32,
 174		.cra_name = "hmac_sha256",
 175		.backend_cra_name = "hmac(sha256)",
 176	}, {
 177		.flags = DRBG_HMAC | DRBG_STRENGTH256,
 178		.statelen = 64, /* block length of cipher */
 179		.blocklen_bytes = 64,
 180		.cra_name = "hmac_sha512",
 181		.backend_cra_name = "hmac(sha512)",
 182	},
 183#endif /* CONFIG_CRYPTO_DRBG_HMAC */
 184};
 185
 186static int drbg_uninstantiate(struct drbg_state *drbg);
 187
 188/******************************************************************
 189 * Generic helper functions
 190 ******************************************************************/
 191
 192/*
 193 * Return strength of DRBG according to SP800-90A section 8.4
 194 *
 195 * @flags DRBG flags reference
 196 *
 197 * Return: normalized strength in *bytes* value or 32 as default
 198 *	   to counter programming errors
 199 */
 200static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
 201{
 202	switch (flags & DRBG_STRENGTH_MASK) {
 203	case DRBG_STRENGTH128:
 204		return 16;
 205	case DRBG_STRENGTH192:
 206		return 24;
 207	case DRBG_STRENGTH256:
 208		return 32;
 209	default:
 210		return 32;
 211	}
 212}
 213
 214/*
 215 * FIPS 140-2 continuous self test for the noise source
 216 * The test is performed on the noise source input data. Thus, the function
 217 * implicitly knows the size of the buffer to be equal to the security
 218 * strength.
 219 *
 220 * Note, this function disregards the nonce trailing the entropy data during
 221 * initial seeding.
 222 *
 223 * drbg->drbg_mutex must have been taken.
 224 *
 225 * @drbg DRBG handle
 226 * @entropy buffer of seed data to be checked
 227 *
 228 * return:
 229 *	%true on success
 230 *	%false when the CTRNG is not yet primed
 231 */
 232static bool drbg_fips_continuous_test(struct drbg_state *drbg,
 233				      const unsigned char *entropy)
 234	__must_hold(&drbg->drbg_mutex)
 235{
 236	unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
 237
 238	if (!IS_ENABLED(CONFIG_CRYPTO_FIPS))
 239		return true;
 240
 241	/* skip test if we test the overall system */
 242	if (list_empty(&drbg->test_data.list))
 243		return true;
 244	/* only perform test in FIPS mode */
 245	if (!fips_enabled)
 246		return true;
 247
 248	if (!drbg->fips_primed) {
 249		/* Priming of FIPS test */
 250		memcpy(drbg->prev, entropy, entropylen);
 251		drbg->fips_primed = true;
 252		/* priming: another round is needed */
 253		return false;
 254	}
 255	if (!memcmp(drbg->prev, entropy, entropylen))
 256		panic("DRBG continuous self test failed\n");
 257	memcpy(drbg->prev, entropy, entropylen);
 258
 259	/* the test shall pass when the two values are not equal */
 260	return true;
 261}
 262
 263/******************************************************************
 264 * CTR DRBG callback functions
 265 ******************************************************************/
 266
 267#ifdef CONFIG_CRYPTO_DRBG_CTR
 268#define CRYPTO_DRBG_CTR_STRING "CTR "
 269MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
 270MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
 271MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
 272MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
 273MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
 274MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
 275
 276static int drbg_init_sym_kernel(struct drbg_state *drbg);
 277static int drbg_fini_sym_kernel(struct drbg_state *drbg);
 278static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
 279			      u8 *inbuf, u32 inbuflen,
 280			      u8 *outbuf, u32 outlen);
 281#define DRBG_OUTSCRATCHLEN 256
 282
 283static int drbg_ctr_df(struct drbg_state *drbg,
 284		       unsigned char *df_data, size_t bytes_to_return,
 285		       struct list_head *seedlist)
 286{
 287	return crypto_drbg_ctr_df(drbg->priv_data, df_data, drbg_statelen(drbg),
 288				  seedlist, drbg_blocklen(drbg), drbg_statelen(drbg));
 289}
 290
 291/*
 292 * update function of CTR DRBG as defined in 10.2.1.2
 293 *
 294 * The reseed variable has an enhanced meaning compared to the update
 295 * functions of the other DRBGs as follows:
 296 * 0 => initial seed from initialization
 297 * 1 => reseed via drbg_seed
 298 * 2 => first invocation from drbg_ctr_update when addtl is present. In
 299 *      this case, the df_data scratchpad is not deleted so that it is
 300 *      available for another calls to prevent calling the DF function
 301 *      again.
 302 * 3 => second invocation from drbg_ctr_update. When the update function
 303 *      was called with addtl, the df_data memory already contains the
 304 *      DFed addtl information and we do not need to call DF again.
 305 */
 306static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
 307			   int reseed)
 308{
 309	int ret = -EFAULT;
 310	/* 10.2.1.2 step 1 */
 311	unsigned char *temp = drbg->scratchpad;
 312	unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
 313				 drbg_blocklen(drbg);
 314
 315	if (3 > reseed)
 316		memset(df_data, 0, drbg_statelen(drbg));
 317
 318	if (!reseed) {
 319		/*
 320		 * The DRBG uses the CTR mode of the underlying AES cipher. The
 321		 * CTR mode increments the counter value after the AES operation
 322		 * but SP800-90A requires that the counter is incremented before
 323		 * the AES operation. Hence, we increment it at the time we set
 324		 * it by one.
 325		 */
 326		crypto_inc(drbg->V, drbg_blocklen(drbg));
 327
 328		ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,
 329					     drbg_keylen(drbg));
 330		if (ret)
 331			goto out;
 332	}
 333
 334	/* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
 335	if (seed) {
 336		ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
 337		if (ret)
 338			goto out;
 339	}
 340
 341	ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg),
 342				 temp, drbg_statelen(drbg));
 343	if (ret)
 344		return ret;
 345
 346	/* 10.2.1.2 step 5 */
 347	ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,
 348				     drbg_keylen(drbg));
 349	if (ret)
 350		goto out;
 351	/* 10.2.1.2 step 6 */
 352	memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
 353	/* See above: increment counter by one to compensate timing of CTR op */
 354	crypto_inc(drbg->V, drbg_blocklen(drbg));
 355	ret = 0;
 356
 357out:
 358	memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
 359	if (2 != reseed)
 360		memset(df_data, 0, drbg_statelen(drbg));
 361	return ret;
 362}
 363
 364/*
 365 * scratchpad use: drbg_ctr_update is called independently from
 366 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
 367 */
 368/* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
 369static int drbg_ctr_generate(struct drbg_state *drbg,
 370			     unsigned char *buf, unsigned int buflen,
 371			     struct list_head *addtl)
 372{
 373	int ret;
 374	int len = min_t(int, buflen, INT_MAX);
 375
 376	/* 10.2.1.5.2 step 2 */
 377	if (addtl && !list_empty(addtl)) {
 378		ret = drbg_ctr_update(drbg, addtl, 2);
 379		if (ret)
 380			return 0;
 381	}
 382
 383	/* 10.2.1.5.2 step 4.1 */
 384	ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len);
 385	if (ret)
 386		return ret;
 387
 388	/* 10.2.1.5.2 step 6 */
 389	ret = drbg_ctr_update(drbg, NULL, 3);
 390	if (ret)
 391		len = ret;
 392
 393	return len;
 394}
 395
 396static const struct drbg_state_ops drbg_ctr_ops = {
 397	.update		= drbg_ctr_update,
 398	.generate	= drbg_ctr_generate,
 399	.crypto_init	= drbg_init_sym_kernel,
 400	.crypto_fini	= drbg_fini_sym_kernel,
 401};
 402#endif /* CONFIG_CRYPTO_DRBG_CTR */
 403
 404/******************************************************************
 405 * HMAC DRBG callback functions
 406 ******************************************************************/
 407
 408#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
 409static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
 410			   const struct list_head *in);
 411static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
 412				  const unsigned char *key);
 413static int drbg_init_hash_kernel(struct drbg_state *drbg);
 414static int drbg_fini_hash_kernel(struct drbg_state *drbg);
 415#endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
 416
 417#ifdef CONFIG_CRYPTO_DRBG_HMAC
 418#define CRYPTO_DRBG_HMAC_STRING "HMAC "
 419MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
 420MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
 421MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
 422MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
 423MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
 424MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
 425
 426/* update function of HMAC DRBG as defined in 10.1.2.2 */
 427static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
 428			    int reseed)
 429{
 430	int ret = -EFAULT;
 431	int i = 0;
 432	struct drbg_string seed1, seed2, vdata;
 433	LIST_HEAD(seedlist);
 434	LIST_HEAD(vdatalist);
 435
 436	if (!reseed) {
 437		/* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */
 438		memset(drbg->V, 1, drbg_statelen(drbg));
 439		drbg_kcapi_hmacsetkey(drbg, drbg->C);
 440	}
 441
 442	drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
 443	list_add_tail(&seed1.list, &seedlist);
 444	/* buffer of seed2 will be filled in for loop below with one byte */
 445	drbg_string_fill(&seed2, NULL, 1);
 446	list_add_tail(&seed2.list, &seedlist);
 447	/* input data of seed is allowed to be NULL at this point */
 448	if (seed)
 449		list_splice_tail(seed, &seedlist);
 450
 451	drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
 452	list_add_tail(&vdata.list, &vdatalist);
 453	for (i = 2; 0 < i; i--) {
 454		/* first round uses 0x0, second 0x1 */
 455		unsigned char prefix = DRBG_PREFIX0;
 456		if (1 == i)
 457			prefix = DRBG_PREFIX1;
 458		/* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
 459		seed2.buf = &prefix;
 460		ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
 461		if (ret)
 462			return ret;
 463		drbg_kcapi_hmacsetkey(drbg, drbg->C);
 464
 465		/* 10.1.2.2 step 2 and 5 -- HMAC for V */
 466		ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
 467		if (ret)
 468			return ret;
 469
 470		/* 10.1.2.2 step 3 */
 471		if (!seed)
 472			return ret;
 473	}
 474
 475	return 0;
 476}
 477
 478/* generate function of HMAC DRBG as defined in 10.1.2.5 */
 479static int drbg_hmac_generate(struct drbg_state *drbg,
 480			      unsigned char *buf,
 481			      unsigned int buflen,
 482			      struct list_head *addtl)
 483{
 484	int len = 0;
 485	int ret = 0;
 486	struct drbg_string data;
 487	LIST_HEAD(datalist);
 488
 489	/* 10.1.2.5 step 2 */
 490	if (addtl && !list_empty(addtl)) {
 491		ret = drbg_hmac_update(drbg, addtl, 1);
 492		if (ret)
 493			return ret;
 494	}
 495
 496	drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
 497	list_add_tail(&data.list, &datalist);
 498	while (len < buflen) {
 499		unsigned int outlen = 0;
 500		/* 10.1.2.5 step 4.1 */
 501		ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
 502		if (ret)
 503			return ret;
 504		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
 505			  drbg_blocklen(drbg) : (buflen - len);
 506
 507		/* 10.1.2.5 step 4.2 */
 508		memcpy(buf + len, drbg->V, outlen);
 509		len += outlen;
 510	}
 511
 512	/* 10.1.2.5 step 6 */
 513	if (addtl && !list_empty(addtl))
 514		ret = drbg_hmac_update(drbg, addtl, 1);
 515	else
 516		ret = drbg_hmac_update(drbg, NULL, 1);
 517	if (ret)
 518		return ret;
 519
 520	return len;
 521}
 522
 523static const struct drbg_state_ops drbg_hmac_ops = {
 524	.update		= drbg_hmac_update,
 525	.generate	= drbg_hmac_generate,
 526	.crypto_init	= drbg_init_hash_kernel,
 527	.crypto_fini	= drbg_fini_hash_kernel,
 528};
 529#endif /* CONFIG_CRYPTO_DRBG_HMAC */
 530
 531/******************************************************************
 532 * Hash DRBG callback functions
 533 ******************************************************************/
 534
 535#ifdef CONFIG_CRYPTO_DRBG_HASH
 536#define CRYPTO_DRBG_HASH_STRING "HASH "
 537MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
 538MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
 539MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
 540MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
 541MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
 542MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
 543
 544/*
 545 * Increment buffer
 546 *
 547 * @dst buffer to increment
 548 * @add value to add
 549 */
 550static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
 551				const unsigned char *add, size_t addlen)
 552{
 553	/* implied: dstlen > addlen */
 554	unsigned char *dstptr;
 555	const unsigned char *addptr;
 556	unsigned int remainder = 0;
 557	size_t len = addlen;
 558
 559	dstptr = dst + (dstlen-1);
 560	addptr = add + (addlen-1);
 561	while (len) {
 562		remainder += *dstptr + *addptr;
 563		*dstptr = remainder & 0xff;
 564		remainder >>= 8;
 565		len--; dstptr--; addptr--;
 566	}
 567	len = dstlen - addlen;
 568	while (len && remainder > 0) {
 569		remainder = *dstptr + 1;
 570		*dstptr = remainder & 0xff;
 571		remainder >>= 8;
 572		len--; dstptr--;
 573	}
 574}
 575
 576/*
 577 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
 578 * interlinked, the scratchpad is used as follows:
 579 * drbg_hash_update
 580 *	start: drbg->scratchpad
 581 *	length: drbg_statelen(drbg)
 582 * drbg_hash_df:
 583 *	start: drbg->scratchpad + drbg_statelen(drbg)
 584 *	length: drbg_blocklen(drbg)
 585 *
 586 * drbg_hash_process_addtl uses the scratchpad, but fully completes
 587 * before either of the functions mentioned before are invoked. Therefore,
 588 * drbg_hash_process_addtl does not need to be specifically considered.
 589 */
 590
 591/* Derivation Function for Hash DRBG as defined in 10.4.1 */
 592static int drbg_hash_df(struct drbg_state *drbg,
 593			unsigned char *outval, size_t outlen,
 594			struct list_head *entropylist)
 595{
 596	int ret = 0;
 597	size_t len = 0;
 598	unsigned char input[5];
 599	unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
 600	struct drbg_string data;
 601
 602	/* 10.4.1 step 3 */
 603	input[0] = 1;
 604	drbg_cpu_to_be32((outlen * 8), &input[1]);
 605
 606	/* 10.4.1 step 4.1 -- concatenation of data for input into hash */
 607	drbg_string_fill(&data, input, 5);
 608	list_add(&data.list, entropylist);
 609
 610	/* 10.4.1 step 4 */
 611	while (len < outlen) {
 612		short blocklen = 0;
 613		/* 10.4.1 step 4.1 */
 614		ret = drbg_kcapi_hash(drbg, tmp, entropylist);
 615		if (ret)
 616			goto out;
 617		/* 10.4.1 step 4.2 */
 618		input[0]++;
 619		blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
 620			    drbg_blocklen(drbg) : (outlen - len);
 621		memcpy(outval + len, tmp, blocklen);
 622		len += blocklen;
 623	}
 624
 625out:
 626	memset(tmp, 0, drbg_blocklen(drbg));
 627	return ret;
 628}
 629
 630/* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
 631static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
 632			    int reseed)
 633{
 634	int ret = 0;
 635	struct drbg_string data1, data2;
 636	LIST_HEAD(datalist);
 637	LIST_HEAD(datalist2);
 638	unsigned char *V = drbg->scratchpad;
 639	unsigned char prefix = DRBG_PREFIX1;
 640
 641	if (!seed)
 642		return -EINVAL;
 643
 644	if (reseed) {
 645		/* 10.1.1.3 step 1 */
 646		memcpy(V, drbg->V, drbg_statelen(drbg));
 647		drbg_string_fill(&data1, &prefix, 1);
 648		list_add_tail(&data1.list, &datalist);
 649		drbg_string_fill(&data2, V, drbg_statelen(drbg));
 650		list_add_tail(&data2.list, &datalist);
 651	}
 652	list_splice_tail(seed, &datalist);
 653
 654	/* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
 655	ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
 656	if (ret)
 657		goto out;
 658
 659	/* 10.1.1.2 / 10.1.1.3 step 4  */
 660	prefix = DRBG_PREFIX0;
 661	drbg_string_fill(&data1, &prefix, 1);
 662	list_add_tail(&data1.list, &datalist2);
 663	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
 664	list_add_tail(&data2.list, &datalist2);
 665	/* 10.1.1.2 / 10.1.1.3 step 4 */
 666	ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
 667
 668out:
 669	memset(drbg->scratchpad, 0, drbg_statelen(drbg));
 670	return ret;
 671}
 672
 673/* processing of additional information string for Hash DRBG */
 674static int drbg_hash_process_addtl(struct drbg_state *drbg,
 675				   struct list_head *addtl)
 676{
 677	int ret = 0;
 678	struct drbg_string data1, data2;
 679	LIST_HEAD(datalist);
 680	unsigned char prefix = DRBG_PREFIX2;
 681
 682	/* 10.1.1.4 step 2 */
 683	if (!addtl || list_empty(addtl))
 684		return 0;
 685
 686	/* 10.1.1.4 step 2a */
 687	drbg_string_fill(&data1, &prefix, 1);
 688	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
 689	list_add_tail(&data1.list, &datalist);
 690	list_add_tail(&data2.list, &datalist);
 691	list_splice_tail(addtl, &datalist);
 692	ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
 693	if (ret)
 694		goto out;
 695
 696	/* 10.1.1.4 step 2b */
 697	drbg_add_buf(drbg->V, drbg_statelen(drbg),
 698		     drbg->scratchpad, drbg_blocklen(drbg));
 699
 700out:
 701	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
 702	return ret;
 703}
 704
 705/* Hashgen defined in 10.1.1.4 */
 706static int drbg_hash_hashgen(struct drbg_state *drbg,
 707			     unsigned char *buf,
 708			     unsigned int buflen)
 709{
 710	int len = 0;
 711	int ret = 0;
 712	unsigned char *src = drbg->scratchpad;
 713	unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
 714	struct drbg_string data;
 715	LIST_HEAD(datalist);
 716
 717	/* 10.1.1.4 step hashgen 2 */
 718	memcpy(src, drbg->V, drbg_statelen(drbg));
 719
 720	drbg_string_fill(&data, src, drbg_statelen(drbg));
 721	list_add_tail(&data.list, &datalist);
 722	while (len < buflen) {
 723		unsigned int outlen = 0;
 724		/* 10.1.1.4 step hashgen 4.1 */
 725		ret = drbg_kcapi_hash(drbg, dst, &datalist);
 726		if (ret) {
 727			len = ret;
 728			goto out;
 729		}
 730		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
 731			  drbg_blocklen(drbg) : (buflen - len);
 732		/* 10.1.1.4 step hashgen 4.2 */
 733		memcpy(buf + len, dst, outlen);
 734		len += outlen;
 735		/* 10.1.1.4 hashgen step 4.3 */
 736		if (len < buflen)
 737			crypto_inc(src, drbg_statelen(drbg));
 738	}
 739
 740out:
 741	memset(drbg->scratchpad, 0,
 742	       (drbg_statelen(drbg) + drbg_blocklen(drbg)));
 743	return len;
 744}
 745
 746/* generate function for Hash DRBG as defined in  10.1.1.4 */
 747static int drbg_hash_generate(struct drbg_state *drbg,
 748			      unsigned char *buf, unsigned int buflen,
 749			      struct list_head *addtl)
 750{
 751	int len = 0;
 752	int ret = 0;
 753	union {
 754		unsigned char req[8];
 755		__be64 req_int;
 756	} u;
 757	unsigned char prefix = DRBG_PREFIX3;
 758	struct drbg_string data1, data2;
 759	LIST_HEAD(datalist);
 760
 761	/* 10.1.1.4 step 2 */
 762	ret = drbg_hash_process_addtl(drbg, addtl);
 763	if (ret)
 764		return ret;
 765	/* 10.1.1.4 step 3 */
 766	len = drbg_hash_hashgen(drbg, buf, buflen);
 767
 768	/* this is the value H as documented in 10.1.1.4 */
 769	/* 10.1.1.4 step 4 */
 770	drbg_string_fill(&data1, &prefix, 1);
 771	list_add_tail(&data1.list, &datalist);
 772	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
 773	list_add_tail(&data2.list, &datalist);
 774	ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
 775	if (ret) {
 776		len = ret;
 777		goto out;
 778	}
 779
 780	/* 10.1.1.4 step 5 */
 781	drbg_add_buf(drbg->V, drbg_statelen(drbg),
 782		     drbg->scratchpad, drbg_blocklen(drbg));
 783	drbg_add_buf(drbg->V, drbg_statelen(drbg),
 784		     drbg->C, drbg_statelen(drbg));
 785	u.req_int = cpu_to_be64(drbg->reseed_ctr);
 786	drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
 787
 788out:
 789	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
 790	return len;
 791}
 792
 793/*
 794 * scratchpad usage: as update and generate are used isolated, both
 795 * can use the scratchpad
 796 */
 797static const struct drbg_state_ops drbg_hash_ops = {
 798	.update		= drbg_hash_update,
 799	.generate	= drbg_hash_generate,
 800	.crypto_init	= drbg_init_hash_kernel,
 801	.crypto_fini	= drbg_fini_hash_kernel,
 802};
 803#endif /* CONFIG_CRYPTO_DRBG_HASH */
 804
 805/******************************************************************
 806 * Functions common for DRBG implementations
 807 ******************************************************************/
 808
 809static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
 810			      int reseed, enum drbg_seed_state new_seed_state)
 811{
 812	int ret = drbg->d_ops->update(drbg, seed, reseed);
 813
 814	if (ret)
 815		return ret;
 816
 817	drbg->seeded = new_seed_state;
 818	drbg->last_seed_time = jiffies;
 819	/* 10.1.1.2 / 10.1.1.3 step 5 */
 820	drbg->reseed_ctr = 1;
 821
 822	switch (drbg->seeded) {
 823	case DRBG_SEED_STATE_UNSEEDED:
 824		/* Impossible, but handle it to silence compiler warnings. */
 825		fallthrough;
 826	case DRBG_SEED_STATE_PARTIAL:
 827		/*
 828		 * Require frequent reseeds until the seed source is
 829		 * fully initialized.
 830		 */
 831		drbg->reseed_threshold = 50;
 832		break;
 833
 834	case DRBG_SEED_STATE_FULL:
 835		/*
 836		 * Seed source has become fully initialized, frequent
 837		 * reseeds no longer required.
 838		 */
 839		drbg->reseed_threshold = drbg_max_requests(drbg);
 840		break;
 841	}
 842
 843	return ret;
 844}
 845
 846static inline void drbg_get_random_bytes(struct drbg_state *drbg,
 847					 unsigned char *entropy,
 848					 unsigned int entropylen)
 849	__must_hold(&drbg->drbg_mutex)
 850{
 851	do
 852		get_random_bytes(entropy, entropylen);
 853	while (!drbg_fips_continuous_test(drbg, entropy));
 854}
 855
 856static int drbg_seed_from_random(struct drbg_state *drbg)
 857	__must_hold(&drbg->drbg_mutex)
 858{
 859	struct drbg_string data;
 860	LIST_HEAD(seedlist);
 861	unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
 862	unsigned char entropy[32];
 863	int ret;
 864
 865	BUG_ON(!entropylen);
 866	BUG_ON(entropylen > sizeof(entropy));
 867
 868	drbg_string_fill(&data, entropy, entropylen);
 869	list_add_tail(&data.list, &seedlist);
 870
 871	drbg_get_random_bytes(drbg, entropy, entropylen);
 872
 873	ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
 874
 875	memzero_explicit(entropy, entropylen);
 876	return ret;
 877}
 878
 879static bool drbg_nopr_reseed_interval_elapsed(struct drbg_state *drbg)
 880{
 881	unsigned long next_reseed;
 882
 883	/* Don't ever reseed from get_random_bytes() in test mode. */
 884	if (list_empty(&drbg->test_data.list))
 885		return false;
 886
 887	/*
 888	 * Obtain fresh entropy for the nopr DRBGs after 300s have
 889	 * elapsed in order to still achieve sort of partial
 890	 * prediction resistance over the time domain at least. Note
 891	 * that the period of 300s has been chosen to match the
 892	 * CRNG_RESEED_INTERVAL of the get_random_bytes()' chacha
 893	 * rngs.
 894	 */
 895	next_reseed = drbg->last_seed_time + 300 * HZ;
 896	return time_after(jiffies, next_reseed);
 897}
 898
 899/*
 900 * Seeding or reseeding of the DRBG
 901 *
 902 * @drbg: DRBG state struct
 903 * @pers: personalization / additional information buffer
 904 * @reseed: 0 for initial seed process, 1 for reseeding
 905 *
 906 * return:
 907 *	0 on success
 908 *	error value otherwise
 909 */
 910static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
 911		     bool reseed)
 912	__must_hold(&drbg->drbg_mutex)
 913{
 914	int ret;
 915	unsigned char entropy[((32 + 16) * 2)];
 916	unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
 917	struct drbg_string data1;
 918	LIST_HEAD(seedlist);
 919	enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL;
 920
 921	/* 9.1 / 9.2 / 9.3.1 step 3 */
 922	if (pers && pers->len > (drbg_max_addtl(drbg))) {
 923		pr_devel("DRBG: personalization string too long %zu\n",
 924			 pers->len);
 925		return -EINVAL;
 926	}
 927
 928	if (list_empty(&drbg->test_data.list)) {
 929		drbg_string_fill(&data1, drbg->test_data.buf,
 930				 drbg->test_data.len);
 931		pr_devel("DRBG: using test entropy\n");
 932	} else {
 933		/*
 934		 * Gather entropy equal to the security strength of the DRBG.
 935		 * With a derivation function, a nonce is required in addition
 936		 * to the entropy. A nonce must be at least 1/2 of the security
 937		 * strength of the DRBG in size. Thus, entropy + nonce is 3/2
 938		 * of the strength. The consideration of a nonce is only
 939		 * applicable during initial seeding.
 940		 */
 941		BUG_ON(!entropylen);
 942		if (!reseed)
 943			entropylen = ((entropylen + 1) / 2) * 3;
 944		BUG_ON((entropylen * 2) > sizeof(entropy));
 945
 946		/* Get seed from in-kernel /dev/urandom */
 947		if (!rng_is_initialized())
 948			new_seed_state = DRBG_SEED_STATE_PARTIAL;
 949
 950		drbg_get_random_bytes(drbg, entropy, entropylen);
 951
 952		if (!drbg->jent) {
 953			drbg_string_fill(&data1, entropy, entropylen);
 954			pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
 955				 entropylen);
 956		} else {
 957			/*
 958			 * Get seed from Jitter RNG, failures are
 959			 * fatal only in FIPS mode.
 960			 */
 961			ret = crypto_rng_get_bytes(drbg->jent,
 962						   entropy + entropylen,
 963						   entropylen);
 964			if (fips_enabled && ret) {
 965				pr_devel("DRBG: jent failed with %d\n", ret);
 966
 967				/*
 968				 * Do not treat the transient failure of the
 969				 * Jitter RNG as an error that needs to be
 970				 * reported. The combined number of the
 971				 * maximum reseed threshold times the maximum
 972				 * number of Jitter RNG transient errors is
 973				 * less than the reseed threshold required by
 974				 * SP800-90A allowing us to treat the
 975				 * transient errors as such.
 976				 *
 977				 * However, we mandate that at least the first
 978				 * seeding operation must succeed with the
 979				 * Jitter RNG.
 980				 */
 981				if (!reseed || ret != -EAGAIN)
 982					goto out;
 983			}
 984
 985			drbg_string_fill(&data1, entropy, entropylen * 2);
 986			pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
 987				 entropylen * 2);
 988		}
 989	}
 990	list_add_tail(&data1.list, &seedlist);
 991
 992	/*
 993	 * concatenation of entropy with personalization str / addtl input)
 994	 * the variable pers is directly handed in by the caller, so check its
 995	 * contents whether it is appropriate
 996	 */
 997	if (pers && pers->buf && 0 < pers->len) {
 998		list_add_tail(&pers->list, &seedlist);
 999		pr_devel("DRBG: using personalization string\n");
1000	}
1001
1002	if (!reseed) {
1003		memset(drbg->V, 0, drbg_statelen(drbg));
1004		memset(drbg->C, 0, drbg_statelen(drbg));
1005	}
1006
1007	ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state);
1008
1009out:
1010	memzero_explicit(entropy, entropylen * 2);
1011
1012	return ret;
1013}
1014
1015/* Free all substructures in a DRBG state without the DRBG state structure */
1016static inline void drbg_dealloc_state(struct drbg_state *drbg)
1017{
1018	if (!drbg)
1019		return;
1020	kfree_sensitive(drbg->Vbuf);
1021	drbg->Vbuf = NULL;
1022	drbg->V = NULL;
1023	kfree_sensitive(drbg->Cbuf);
1024	drbg->Cbuf = NULL;
1025	drbg->C = NULL;
1026	kfree_sensitive(drbg->scratchpadbuf);
1027	drbg->scratchpadbuf = NULL;
1028	drbg->reseed_ctr = 0;
1029	drbg->d_ops = NULL;
1030	drbg->core = NULL;
1031	if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1032		kfree_sensitive(drbg->prev);
1033		drbg->prev = NULL;
1034		drbg->fips_primed = false;
1035	}
1036}
1037
1038/*
1039 * Allocate all sub-structures for a DRBG state.
1040 * The DRBG state structure must already be allocated.
1041 */
1042static inline int drbg_alloc_state(struct drbg_state *drbg)
1043{
1044	int ret = -ENOMEM;
1045	unsigned int sb_size = 0;
1046
1047	switch (drbg->core->flags & DRBG_TYPE_MASK) {
1048#ifdef CONFIG_CRYPTO_DRBG_HMAC
1049	case DRBG_HMAC:
1050		drbg->d_ops = &drbg_hmac_ops;
1051		break;
1052#endif /* CONFIG_CRYPTO_DRBG_HMAC */
1053#ifdef CONFIG_CRYPTO_DRBG_HASH
1054	case DRBG_HASH:
1055		drbg->d_ops = &drbg_hash_ops;
1056		break;
1057#endif /* CONFIG_CRYPTO_DRBG_HASH */
1058#ifdef CONFIG_CRYPTO_DRBG_CTR
1059	case DRBG_CTR:
1060		drbg->d_ops = &drbg_ctr_ops;
1061		break;
1062#endif /* CONFIG_CRYPTO_DRBG_CTR */
1063	default:
1064		ret = -EOPNOTSUPP;
1065		goto err;
1066	}
1067
1068	ret = drbg->d_ops->crypto_init(drbg);
1069	if (ret < 0)
1070		goto err;
1071
1072	drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1073	if (!drbg->Vbuf) {
1074		ret = -ENOMEM;
1075		goto fini;
1076	}
1077	drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);
1078	drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1079	if (!drbg->Cbuf) {
1080		ret = -ENOMEM;
1081		goto fini;
1082	}
1083	drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);
1084	/* scratchpad is only generated for CTR and Hash */
1085	if (drbg->core->flags & DRBG_HMAC)
1086		sb_size = 0;
1087	else if (drbg->core->flags & DRBG_CTR)
1088		sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */
1089			  crypto_drbg_ctr_df_datalen(drbg_statelen(drbg),
1090						     drbg_blocklen(drbg));
1091	else
1092		sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1093
1094	if (0 < sb_size) {
1095		drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);
1096		if (!drbg->scratchpadbuf) {
1097			ret = -ENOMEM;
1098			goto fini;
1099		}
1100		drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
1101	}
1102
1103	if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1104		drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
1105				     GFP_KERNEL);
1106		if (!drbg->prev) {
1107			ret = -ENOMEM;
1108			goto fini;
1109		}
1110		drbg->fips_primed = false;
1111	}
1112
1113	return 0;
1114
1115fini:
1116	drbg->d_ops->crypto_fini(drbg);
1117err:
1118	drbg_dealloc_state(drbg);
1119	return ret;
1120}
1121
1122/*************************************************************************
1123 * DRBG interface functions
1124 *************************************************************************/
1125
1126/*
1127 * DRBG generate function as required by SP800-90A - this function
1128 * generates random numbers
1129 *
1130 * @drbg DRBG state handle
1131 * @buf Buffer where to store the random numbers -- the buffer must already
1132 *      be pre-allocated by caller
1133 * @buflen Length of output buffer - this value defines the number of random
1134 *	   bytes pulled from DRBG
1135 * @addtl Additional input that is mixed into state, may be NULL -- note
1136 *	  the entropy is pulled by the DRBG internally unconditionally
1137 *	  as defined in SP800-90A. The additional input is mixed into
1138 *	  the state in addition to the pulled entropy.
1139 *
1140 * return: 0 when all bytes are generated; < 0 in case of an error
1141 */
1142static int drbg_generate(struct drbg_state *drbg,
1143			 unsigned char *buf, unsigned int buflen,
1144			 struct drbg_string *addtl)
1145	__must_hold(&drbg->drbg_mutex)
1146{
1147	int len = 0;
1148	LIST_HEAD(addtllist);
1149
1150	if (!drbg->core) {
1151		pr_devel("DRBG: not yet seeded\n");
1152		return -EINVAL;
1153	}
1154	if (0 == buflen || !buf) {
1155		pr_devel("DRBG: no output buffer provided\n");
1156		return -EINVAL;
1157	}
1158	if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1159		pr_devel("DRBG: wrong format of additional information\n");
1160		return -EINVAL;
1161	}
1162
1163	/* 9.3.1 step 2 */
1164	len = -EINVAL;
1165	if (buflen > (drbg_max_request_bytes(drbg))) {
1166		pr_devel("DRBG: requested random numbers too large %u\n",
1167			 buflen);
1168		goto err;
1169	}
1170
1171	/* 9.3.1 step 3 is implicit with the chosen DRBG */
1172
1173	/* 9.3.1 step 4 */
1174	if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1175		pr_devel("DRBG: additional information string too long %zu\n",
1176			 addtl->len);
1177		goto err;
1178	}
1179	/* 9.3.1 step 5 is implicit with the chosen DRBG */
1180
1181	/*
1182	 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented
1183	 * here. The spec is a bit convoluted here, we make it simpler.
1184	 */
1185	if (drbg->reseed_threshold < drbg->reseed_ctr)
1186		drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1187
1188	if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) {
1189		pr_devel("DRBG: reseeding before generation (prediction "
1190			 "resistance: %s, state %s)\n",
1191			 str_true_false(drbg->pr),
1192			 (drbg->seeded ==  DRBG_SEED_STATE_FULL ?
1193			  "seeded" : "unseeded"));
1194		/* 9.3.1 steps 7.1 through 7.3 */
1195		len = drbg_seed(drbg, addtl, true);
1196		if (len)
1197			goto err;
1198		/* 9.3.1 step 7.4 */
1199		addtl = NULL;
1200	} else if (rng_is_initialized() &&
1201		   (drbg->seeded == DRBG_SEED_STATE_PARTIAL ||
1202		    drbg_nopr_reseed_interval_elapsed(drbg))) {
1203		len = drbg_seed_from_random(drbg);
1204		if (len)
1205			goto err;
1206	}
1207
1208	if (addtl && 0 < addtl->len)
1209		list_add_tail(&addtl->list, &addtllist);
1210	/* 9.3.1 step 8 and 10 */
1211	len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1212
1213	/* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
1214	drbg->reseed_ctr++;
1215	if (0 >= len)
1216		goto err;
1217
1218	/*
1219	 * Section 11.3.3 requires to re-perform self tests after some
1220	 * generated random numbers. The chosen value after which self
1221	 * test is performed is arbitrary, but it should be reasonable.
1222	 * However, we do not perform the self tests because of the following
1223	 * reasons: it is mathematically impossible that the initial self tests
1224	 * were successfully and the following are not. If the initial would
1225	 * pass and the following would not, the kernel integrity is violated.
1226	 * In this case, the entire kernel operation is questionable and it
1227	 * is unlikely that the integrity violation only affects the
1228	 * correct operation of the DRBG.
1229	 *
1230	 * Albeit the following code is commented out, it is provided in
1231	 * case somebody has a need to implement the test of 11.3.3.
1232	 */
1233#if 0
1234	if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1235		int err = 0;
1236		pr_devel("DRBG: start to perform self test\n");
1237		if (drbg->core->flags & DRBG_HMAC)
1238			err = alg_test("drbg_pr_hmac_sha512",
1239				       "drbg_pr_hmac_sha512", 0, 0);
1240		else if (drbg->core->flags & DRBG_CTR)
1241			err = alg_test("drbg_pr_ctr_aes256",
1242				       "drbg_pr_ctr_aes256", 0, 0);
1243		else
1244			err = alg_test("drbg_pr_sha256",
1245				       "drbg_pr_sha256", 0, 0);
1246		if (err) {
1247			pr_err("DRBG: periodical self test failed\n");
1248			/*
1249			 * uninstantiate implies that from now on, only errors
1250			 * are returned when reusing this DRBG cipher handle
1251			 */
1252			drbg_uninstantiate(drbg);
1253			return 0;
1254		} else {
1255			pr_devel("DRBG: self test successful\n");
1256		}
1257	}
1258#endif
1259
1260	/*
1261	 * All operations were successful, return 0 as mandated by
1262	 * the kernel crypto API interface.
1263	 */
1264	len = 0;
1265err:
1266	return len;
1267}
1268
1269/*
1270 * Wrapper around drbg_generate which can pull arbitrary long strings
1271 * from the DRBG without hitting the maximum request limitation.
1272 *
1273 * Parameters: see drbg_generate
1274 * Return codes: see drbg_generate -- if one drbg_generate request fails,
1275 *		 the entire drbg_generate_long request fails
1276 */
1277static int drbg_generate_long(struct drbg_state *drbg,
1278			      unsigned char *buf, unsigned int buflen,
1279			      struct drbg_string *addtl)
1280{
1281	unsigned int len = 0;
1282	unsigned int slice = 0;
1283	do {
1284		int err = 0;
1285		unsigned int chunk = 0;
1286		slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1287		chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1288		mutex_lock(&drbg->drbg_mutex);
1289		err = drbg_generate(drbg, buf + len, chunk, addtl);
1290		mutex_unlock(&drbg->drbg_mutex);
1291		if (0 > err)
1292			return err;
1293		len += chunk;
1294	} while (slice > 0 && (len < buflen));
1295	return 0;
1296}
1297
1298static int drbg_prepare_hrng(struct drbg_state *drbg)
1299{
1300	/* We do not need an HRNG in test mode. */
1301	if (list_empty(&drbg->test_data.list))
1302		return 0;
1303
1304	drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1305	if (IS_ERR(drbg->jent)) {
1306		const int err = PTR_ERR(drbg->jent);
1307
1308		drbg->jent = NULL;
1309		if (fips_enabled)
1310			return err;
1311		pr_info("DRBG: Continuing without Jitter RNG\n");
1312	}
1313
1314	return 0;
1315}
1316
1317/*
1318 * DRBG instantiation function as required by SP800-90A - this function
1319 * sets up the DRBG handle, performs the initial seeding and all sanity
1320 * checks required by SP800-90A
1321 *
1322 * @drbg memory of state -- if NULL, new memory is allocated
1323 * @pers Personalization string that is mixed into state, may be NULL -- note
1324 *	 the entropy is pulled by the DRBG internally unconditionally
1325 *	 as defined in SP800-90A. The additional input is mixed into
1326 *	 the state in addition to the pulled entropy.
1327 * @coreref reference to core
1328 * @pr prediction resistance enabled
1329 *
1330 * return
1331 *	0 on success
1332 *	error value otherwise
1333 */
1334static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1335			    int coreref, bool pr)
1336{
1337	int ret;
1338	bool reseed = true;
1339
1340	pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1341		 "%s\n", coreref, str_enabled_disabled(pr));
1342	mutex_lock(&drbg->drbg_mutex);
1343
1344	/* 9.1 step 1 is implicit with the selected DRBG type */
1345
1346	/*
1347	 * 9.1 step 2 is implicit as caller can select prediction resistance
1348	 * and the flag is copied into drbg->flags --
1349	 * all DRBG types support prediction resistance
1350	 */
1351
1352	/* 9.1 step 4 is implicit in  drbg_sec_strength */
1353
1354	if (!drbg->core) {
1355		drbg->core = &drbg_cores[coreref];
1356		drbg->pr = pr;
1357		drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1358		drbg->last_seed_time = 0;
1359		drbg->reseed_threshold = drbg_max_requests(drbg);
1360
1361		ret = drbg_alloc_state(drbg);
1362		if (ret)
1363			goto unlock;
1364
1365		ret = drbg_prepare_hrng(drbg);
1366		if (ret)
1367			goto free_everything;
1368
1369		reseed = false;
1370	}
1371
1372	ret = drbg_seed(drbg, pers, reseed);
1373
1374	if (ret && !reseed)
1375		goto free_everything;
1376
1377	mutex_unlock(&drbg->drbg_mutex);
1378	return ret;
1379
1380unlock:
1381	mutex_unlock(&drbg->drbg_mutex);
1382	return ret;
1383
1384free_everything:
1385	mutex_unlock(&drbg->drbg_mutex);
1386	drbg_uninstantiate(drbg);
1387	return ret;
1388}
1389
1390/*
1391 * DRBG uninstantiate function as required by SP800-90A - this function
1392 * frees all buffers and the DRBG handle
1393 *
1394 * @drbg DRBG state handle
1395 *
1396 * return
1397 *	0 on success
1398 */
1399static int drbg_uninstantiate(struct drbg_state *drbg)
1400{
1401	if (!IS_ERR_OR_NULL(drbg->jent))
1402		crypto_free_rng(drbg->jent);
1403	drbg->jent = NULL;
1404
1405	if (drbg->d_ops)
1406		drbg->d_ops->crypto_fini(drbg);
1407	drbg_dealloc_state(drbg);
1408	/* no scrubbing of test_data -- this shall survive an uninstantiate */
1409	return 0;
1410}
1411
1412/*
1413 * Helper function for setting the test data in the DRBG
1414 *
1415 * @drbg DRBG state handle
1416 * @data test data
1417 * @len test data length
1418 */
1419static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
1420				   const u8 *data, unsigned int len)
1421{
1422	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1423
1424	mutex_lock(&drbg->drbg_mutex);
1425	drbg_string_fill(&drbg->test_data, data, len);
1426	mutex_unlock(&drbg->drbg_mutex);
1427}
1428
1429/***************************************************************
1430 * Kernel crypto API cipher invocations requested by DRBG
1431 ***************************************************************/
1432
1433#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1434struct sdesc {
1435	struct shash_desc shash;
1436};
1437
1438static int drbg_init_hash_kernel(struct drbg_state *drbg)
1439{
1440	struct sdesc *sdesc;
1441	struct crypto_shash *tfm;
1442
1443	tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1444	if (IS_ERR(tfm)) {
1445		pr_info("DRBG: could not allocate digest TFM handle: %s\n",
1446				drbg->core->backend_cra_name);
1447		return PTR_ERR(tfm);
1448	}
1449	BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1450	sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1451			GFP_KERNEL);
1452	if (!sdesc) {
1453		crypto_free_shash(tfm);
1454		return -ENOMEM;
1455	}
1456
1457	sdesc->shash.tfm = tfm;
1458	drbg->priv_data = sdesc;
1459
1460	return 0;
1461}
1462
1463static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1464{
1465	struct sdesc *sdesc = drbg->priv_data;
1466	if (sdesc) {
1467		crypto_free_shash(sdesc->shash.tfm);
1468		kfree_sensitive(sdesc);
1469	}
1470	drbg->priv_data = NULL;
1471	return 0;
1472}
1473
1474static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
1475				  const unsigned char *key)
1476{
1477	struct sdesc *sdesc = drbg->priv_data;
1478
1479	crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1480}
1481
1482static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
1483			   const struct list_head *in)
1484{
1485	struct sdesc *sdesc = drbg->priv_data;
1486	struct drbg_string *input = NULL;
1487
1488	crypto_shash_init(&sdesc->shash);
1489	list_for_each_entry(input, in, list)
1490		crypto_shash_update(&sdesc->shash, input->buf, input->len);
1491	return crypto_shash_final(&sdesc->shash, outval);
1492}
1493#endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
1494
1495#ifdef CONFIG_CRYPTO_DRBG_CTR
1496static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1497{
1498	struct aes_enckey *aeskey = drbg->priv_data;
1499
1500	kfree(aeskey);
1501	drbg->priv_data = NULL;
1502
1503	if (drbg->ctr_handle)
1504		crypto_free_skcipher(drbg->ctr_handle);
1505	drbg->ctr_handle = NULL;
1506
1507	if (drbg->ctr_req)
1508		skcipher_request_free(drbg->ctr_req);
1509	drbg->ctr_req = NULL;
1510
1511	kfree(drbg->outscratchpadbuf);
1512	drbg->outscratchpadbuf = NULL;
1513
1514	return 0;
1515}
1516
1517static int drbg_init_sym_kernel(struct drbg_state *drbg)
1518{
1519	struct aes_enckey *aeskey;
1520	struct crypto_skcipher *sk_tfm;
1521	struct skcipher_request *req;
1522	unsigned int alignmask;
1523	char ctr_name[CRYPTO_MAX_ALG_NAME];
1524
1525	aeskey = kzalloc_obj(*aeskey);
1526	if (!aeskey)
1527		return -ENOMEM;
1528	drbg->priv_data = aeskey;
1529
1530	if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
1531	    drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
1532		drbg_fini_sym_kernel(drbg);
1533		return -EINVAL;
1534	}
1535	sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0);
1536	if (IS_ERR(sk_tfm)) {
1537		pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n",
1538				ctr_name);
1539		drbg_fini_sym_kernel(drbg);
1540		return PTR_ERR(sk_tfm);
1541	}
1542	drbg->ctr_handle = sk_tfm;
1543	crypto_init_wait(&drbg->ctr_wait);
1544
1545	req = skcipher_request_alloc(sk_tfm, GFP_KERNEL);
1546	if (!req) {
1547		pr_info("DRBG: could not allocate request queue\n");
1548		drbg_fini_sym_kernel(drbg);
1549		return -ENOMEM;
1550	}
1551	drbg->ctr_req = req;
1552	skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
1553						CRYPTO_TFM_REQ_MAY_SLEEP,
1554					crypto_req_done, &drbg->ctr_wait);
1555
1556	alignmask = crypto_skcipher_alignmask(sk_tfm);
1557	drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,
1558					 GFP_KERNEL);
1559	if (!drbg->outscratchpadbuf) {
1560		drbg_fini_sym_kernel(drbg);
1561		return -ENOMEM;
1562	}
1563	drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,
1564					      alignmask + 1);
1565
1566	sg_init_table(&drbg->sg_in, 1);
1567	sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
1568
1569	return alignmask;
1570}
1571
1572static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
1573			      u8 *inbuf, u32 inlen,
1574			      u8 *outbuf, u32 outlen)
1575{
1576	struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;
1577	u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN);
1578	int ret;
1579
1580	if (inbuf) {
1581		/* Use caller-provided input buffer */
1582		sg_set_buf(sg_in, inbuf, inlen);
1583	} else {
1584		/* Use scratchpad for in-place operation */
1585		inlen = scratchpad_use;
1586		memset(drbg->outscratchpad, 0, scratchpad_use);
1587		sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);
1588	}
1589
1590	while (outlen) {
1591		u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN);
1592
1593		/* Output buffer may not be valid for SGL, use scratchpad */
1594		skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out,
1595					   cryptlen, drbg->V);
1596		ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),
1597					&drbg->ctr_wait);
1598		if (ret)
1599			goto out;
1600
1601		crypto_init_wait(&drbg->ctr_wait);
1602
1603		memcpy(outbuf, drbg->outscratchpad, cryptlen);
1604		memzero_explicit(drbg->outscratchpad, cryptlen);
1605
1606		outlen -= cryptlen;
1607		outbuf += cryptlen;
1608	}
1609	ret = 0;
1610
1611out:
1612	return ret;
1613}
1614#endif /* CONFIG_CRYPTO_DRBG_CTR */
1615
1616/***************************************************************
1617 * Kernel crypto API interface to register DRBG
1618 ***************************************************************/
1619
1620/*
1621 * Look up the DRBG flags by given kernel crypto API cra_name
1622 * The code uses the drbg_cores definition to do this
1623 *
1624 * @cra_name kernel crypto API cra_name
1625 * @coreref reference to integer which is filled with the pointer to
1626 *  the applicable core
1627 * @pr reference for setting prediction resistance
1628 *
1629 * return: flags
1630 */
1631static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1632					 int *coreref, bool *pr)
1633{
1634	int i = 0;
1635	size_t start = 0;
1636	int len = 0;
1637
1638	*pr = true;
1639	/* disassemble the names */
1640	if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1641		start = 10;
1642		*pr = false;
1643	} else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1644		start = 8;
1645	} else {
1646		return;
1647	}
1648
1649	/* remove the first part */
1650	len = strlen(cra_driver_name) - start;
1651	for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1652		if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1653			    len)) {
1654			*coreref = i;
1655			return;
1656		}
1657	}
1658}
1659
1660static int drbg_kcapi_init(struct crypto_tfm *tfm)
1661{
1662	struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1663
1664	mutex_init(&drbg->drbg_mutex);
1665
1666	return 0;
1667}
1668
1669static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1670{
1671	drbg_uninstantiate(crypto_tfm_ctx(tfm));
1672}
1673
1674/*
1675 * Generate random numbers invoked by the kernel crypto API:
1676 * The API of the kernel crypto API is extended as follows:
1677 *
1678 * src is additional input supplied to the RNG.
1679 * slen is the length of src.
1680 * dst is the output buffer where random data is to be stored.
1681 * dlen is the length of dst.
1682 */
1683static int drbg_kcapi_random(struct crypto_rng *tfm,
1684			     const u8 *src, unsigned int slen,
1685			     u8 *dst, unsigned int dlen)
1686{
1687	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1688	struct drbg_string *addtl = NULL;
1689	struct drbg_string string;
1690
1691	if (slen) {
1692		/* linked list variable is now local to allow modification */
1693		drbg_string_fill(&string, src, slen);
1694		addtl = &string;
1695	}
1696
1697	return drbg_generate_long(drbg, dst, dlen, addtl);
1698}
1699
1700/*
1701 * Seed the DRBG invoked by the kernel crypto API
1702 */
1703static int drbg_kcapi_seed(struct crypto_rng *tfm,
1704			   const u8 *seed, unsigned int slen)
1705{
1706	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1707	struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1708	bool pr = false;
1709	struct drbg_string string;
1710	struct drbg_string *seed_string = NULL;
1711	int coreref = 0;
1712
1713	drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1714			      &pr);
1715	if (0 < slen) {
1716		drbg_string_fill(&string, seed, slen);
1717		seed_string = &string;
1718	}
1719
1720	return drbg_instantiate(drbg, seed_string, coreref, pr);
1721}
1722
1723/***************************************************************
1724 * Kernel module: code to load the module
1725 ***************************************************************/
1726
1727/*
1728 * Tests as defined in 11.3.2 in addition to the cipher tests: testing
1729 * of the error handling.
1730 *
1731 * Note: testing of failing seed source as defined in 11.3.2 is not applicable
1732 * as seed source of get_random_bytes does not fail.
1733 *
1734 * Note 2: There is no sensible way of testing the reseed counter
1735 * enforcement, so skip it.
1736 */
1737static inline int __init drbg_healthcheck_sanity(void)
1738{
1739	int len = 0;
1740#define OUTBUFLEN 16
1741	unsigned char buf[OUTBUFLEN];
1742	struct drbg_state *drbg = NULL;
1743	int ret;
1744	int rc = -EFAULT;
1745	bool pr = false;
1746	int coreref = 0;
1747	struct drbg_string addtl;
1748	size_t max_addtllen, max_request_bytes;
1749
1750	/* only perform test in FIPS mode */
1751	if (!fips_enabled)
1752		return 0;
1753
1754#ifdef CONFIG_CRYPTO_DRBG_CTR
1755	drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr);
1756#endif
1757#ifdef CONFIG_CRYPTO_DRBG_HASH
1758	drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
1759#endif
1760#ifdef CONFIG_CRYPTO_DRBG_HMAC
1761	drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr);
1762#endif
1763
1764	drbg = kzalloc_obj(struct drbg_state);
1765	if (!drbg)
1766		return -ENOMEM;
1767
1768	guard(mutex_init)(&drbg->drbg_mutex);
1769	drbg->core = &drbg_cores[coreref];
1770	drbg->reseed_threshold = drbg_max_requests(drbg);
1771
1772	/*
1773	 * if the following tests fail, it is likely that there is a buffer
1774	 * overflow as buf is much smaller than the requested or provided
1775	 * string lengths -- in case the error handling does not succeed
1776	 * we may get an OOPS. And we want to get an OOPS as this is a
1777	 * grave bug.
1778	 */
1779
1780	max_addtllen = drbg_max_addtl(drbg);
1781	max_request_bytes = drbg_max_request_bytes(drbg);
1782	drbg_string_fill(&addtl, buf, max_addtllen + 1);
1783	/* overflow addtllen with additional info string */
1784	len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
1785	BUG_ON(0 < len);
1786	/* overflow max_bits */
1787	len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
1788	BUG_ON(0 < len);
1789
1790	/* overflow max addtllen with personalization string */
1791	ret = drbg_seed(drbg, &addtl, false);
1792	BUG_ON(0 == ret);
1793	/* all tests passed */
1794	rc = 0;
1795
1796	pr_devel("DRBG: Sanity tests for failure code paths successfully "
1797		 "completed\n");
1798
1799	kfree(drbg);
1800	return rc;
1801}
1802
1803static struct rng_alg drbg_algs[22];
1804
1805/*
1806 * Fill the array drbg_algs used to register the different DRBGs
1807 * with the kernel crypto API. To fill the array, the information
1808 * from drbg_cores[] is used.
1809 */
1810static inline void __init drbg_fill_array(struct rng_alg *alg,
1811					  const struct drbg_core *core, int pr)
1812{
1813	int pos = 0;
1814	static int priority = 200;
1815
1816	memcpy(alg->base.cra_name, "stdrng", 6);
1817	if (pr) {
1818		memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
1819		pos = 8;
1820	} else {
1821		memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
1822		pos = 10;
1823	}
1824	memcpy(alg->base.cra_driver_name + pos, core->cra_name,
1825	       strlen(core->cra_name));
1826
1827	alg->base.cra_priority = priority;
1828	priority++;
1829	/*
1830	 * If FIPS mode enabled, the selected DRBG shall have the
1831	 * highest cra_priority over other stdrng instances to ensure
1832	 * it is selected.
1833	 */
1834	if (fips_enabled)
1835		alg->base.cra_priority += 200;
1836
1837	alg->base.cra_ctxsize 	= sizeof(struct drbg_state);
1838	alg->base.cra_module	= THIS_MODULE;
1839	alg->base.cra_init	= drbg_kcapi_init;
1840	alg->base.cra_exit	= drbg_kcapi_cleanup;
1841	alg->generate		= drbg_kcapi_random;
1842	alg->seed		= drbg_kcapi_seed;
1843	alg->set_ent		= drbg_kcapi_set_entropy;
1844	alg->seedsize		= 0;
1845}
1846
1847static int __init drbg_init(void)
1848{
1849	unsigned int i = 0; /* pointer to drbg_algs */
1850	unsigned int j = 0; /* pointer to drbg_cores */
1851	int ret;
1852
1853	ret = drbg_healthcheck_sanity();
1854	if (ret)
1855		return ret;
1856
1857	if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
1858		pr_info("DRBG: Cannot register all DRBG types"
1859			"(slots needed: %zu, slots available: %zu)\n",
1860			ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
1861		return -EFAULT;
1862	}
1863
1864	/*
1865	 * each DRBG definition can be used with PR and without PR, thus
1866	 * we instantiate each DRBG in drbg_cores[] twice.
1867	 *
1868	 * As the order of placing them into the drbg_algs array matters
1869	 * (the later DRBGs receive a higher cra_priority) we register the
1870	 * prediction resistance DRBGs first as the should not be too
1871	 * interesting.
1872	 */
1873	for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
1874		drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
1875	for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
1876		drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
1877	return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
1878}
1879
1880static void __exit drbg_exit(void)
1881{
1882	crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
1883}
1884
1885module_init(drbg_init);
1886module_exit(drbg_exit);
1887#ifndef CRYPTO_DRBG_HASH_STRING
1888#define CRYPTO_DRBG_HASH_STRING ""
1889#endif
1890#ifndef CRYPTO_DRBG_HMAC_STRING
1891#define CRYPTO_DRBG_HMAC_STRING ""
1892#endif
1893#ifndef CRYPTO_DRBG_CTR_STRING
1894#define CRYPTO_DRBG_CTR_STRING ""
1895#endif
1896MODULE_LICENSE("GPL");
1897MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
1898MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
1899		   "using following cores: "
1900		   CRYPTO_DRBG_HASH_STRING
1901		   CRYPTO_DRBG_HMAC_STRING
1902		   CRYPTO_DRBG_CTR_STRING);
1903MODULE_ALIAS_CRYPTO("stdrng");
1904MODULE_IMPORT_NS("CRYPTO_INTERNAL");
Configure Feed

Configure Feed
