Merge tag 'for-6.2-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave...
[platform/kernel/linux-rpi.git] / crypto / drbg.c
1 /*
2  * DRBG: Deterministic Random Bits Generator
3  *       Based on NIST Recommended DRBG from NIST SP800-90A with the following
4  *       properties:
5  *              * CTR DRBG with DF with AES-128, AES-192, AES-256 cores
6  *              * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
7  *              * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
8  *              * with and without prediction resistance
9  *
10  * Copyright Stephan Mueller <smueller@chronox.de>, 2014
11  *
12  * Redistribution and use in source and binary forms, with or without
13  * modification, are permitted provided that the following conditions
14  * are met:
15  * 1. Redistributions of source code must retain the above copyright
16  *    notice, and the entire permission notice in its entirety,
17  *    including the disclaimer of warranties.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  * 3. The name of the author may not be used to endorse or promote
22  *    products derived from this software without specific prior
23  *    written permission.
24  *
25  * ALTERNATIVELY, this product may be distributed under the terms of
26  * the GNU General Public License, in which case the provisions of the GPL are
27  * required INSTEAD OF the above restrictions.  (This clause is
28  * necessary due to a potential bad interaction between the GPL and
29  * the restrictions contained in a BSD-style copyright.)
30  *
31  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
32  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
33  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
34  * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
35  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
36  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
37  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
38  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
39  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
40  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
41  * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
42  * DAMAGE.
43  *
44  * DRBG Usage
45  * ==========
46  * The SP 800-90A DRBG allows the user to specify a personalization string
47  * for initialization as well as an additional information string for each
48  * random number request. The following code fragments show how a caller
49  * uses the kernel crypto API to use the full functionality of the DRBG.
50  *
51  * Usage without any additional data
52  * ---------------------------------
53  * struct crypto_rng *drng;
54  * int err;
55  * char data[DATALEN];
56  *
57  * drng = crypto_alloc_rng(drng_name, 0, 0);
58  * err = crypto_rng_get_bytes(drng, &data, DATALEN);
59  * crypto_free_rng(drng);
60  *
61  *
62  * Usage with personalization string during initialization
63  * -------------------------------------------------------
64  * struct crypto_rng *drng;
65  * int err;
66  * char data[DATALEN];
67  * struct drbg_string pers;
68  * char personalization[11] = "some-string";
69  *
70  * drbg_string_fill(&pers, personalization, strlen(personalization));
71  * drng = crypto_alloc_rng(drng_name, 0, 0);
72  * // The reset completely re-initializes the DRBG with the provided
73  * // personalization string
74  * err = crypto_rng_reset(drng, &personalization, strlen(personalization));
75  * err = crypto_rng_get_bytes(drng, &data, DATALEN);
76  * crypto_free_rng(drng);
77  *
78  *
79  * Usage with additional information string during random number request
80  * ---------------------------------------------------------------------
81  * struct crypto_rng *drng;
82  * int err;
83  * char data[DATALEN];
84  * char addtl_string[11] = "some-string";
85  * string drbg_string addtl;
86  *
87  * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
88  * drng = crypto_alloc_rng(drng_name, 0, 0);
89  * // The following call is a wrapper to crypto_rng_get_bytes() and returns
90  * // the same error codes.
91  * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl);
92  * crypto_free_rng(drng);
93  *
94  *
95  * Usage with personalization and additional information strings
96  * -------------------------------------------------------------
97  * Just mix both scenarios above.
98  */
99
100 #include <crypto/drbg.h>
101 #include <crypto/internal/cipher.h>
102 #include <linux/kernel.h>
103 #include <linux/jiffies.h>
104
105 /***************************************************************
106  * Backend cipher definitions available to DRBG
107  ***************************************************************/
108
109 /*
110  * The order of the DRBG definitions here matter: every DRBG is registered
111  * as stdrng. Each DRBG receives an increasing cra_priority values the later
112  * they are defined in this array (see drbg_fill_array).
113  *
114  * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and
115  * the SHA256 / AES 256 over other ciphers. Thus, the favored
116  * DRBGs are the latest entries in this array.
117  */
118 static const struct drbg_core drbg_cores[] = {
119 #ifdef CONFIG_CRYPTO_DRBG_CTR
120         {
121                 .flags = DRBG_CTR | DRBG_STRENGTH128,
122                 .statelen = 32, /* 256 bits as defined in 10.2.1 */
123                 .blocklen_bytes = 16,
124                 .cra_name = "ctr_aes128",
125                 .backend_cra_name = "aes",
126         }, {
127                 .flags = DRBG_CTR | DRBG_STRENGTH192,
128                 .statelen = 40, /* 320 bits as defined in 10.2.1 */
129                 .blocklen_bytes = 16,
130                 .cra_name = "ctr_aes192",
131                 .backend_cra_name = "aes",
132         }, {
133                 .flags = DRBG_CTR | DRBG_STRENGTH256,
134                 .statelen = 48, /* 384 bits as defined in 10.2.1 */
135                 .blocklen_bytes = 16,
136                 .cra_name = "ctr_aes256",
137                 .backend_cra_name = "aes",
138         },
139 #endif /* CONFIG_CRYPTO_DRBG_CTR */
140 #ifdef CONFIG_CRYPTO_DRBG_HASH
141         {
142                 .flags = DRBG_HASH | DRBG_STRENGTH128,
143                 .statelen = 55, /* 440 bits */
144                 .blocklen_bytes = 20,
145                 .cra_name = "sha1",
146                 .backend_cra_name = "sha1",
147         }, {
148                 .flags = DRBG_HASH | DRBG_STRENGTH256,
149                 .statelen = 111, /* 888 bits */
150                 .blocklen_bytes = 48,
151                 .cra_name = "sha384",
152                 .backend_cra_name = "sha384",
153         }, {
154                 .flags = DRBG_HASH | DRBG_STRENGTH256,
155                 .statelen = 111, /* 888 bits */
156                 .blocklen_bytes = 64,
157                 .cra_name = "sha512",
158                 .backend_cra_name = "sha512",
159         }, {
160                 .flags = DRBG_HASH | DRBG_STRENGTH256,
161                 .statelen = 55, /* 440 bits */
162                 .blocklen_bytes = 32,
163                 .cra_name = "sha256",
164                 .backend_cra_name = "sha256",
165         },
166 #endif /* CONFIG_CRYPTO_DRBG_HASH */
167 #ifdef CONFIG_CRYPTO_DRBG_HMAC
168         {
169                 .flags = DRBG_HMAC | DRBG_STRENGTH128,
170                 .statelen = 20, /* block length of cipher */
171                 .blocklen_bytes = 20,
172                 .cra_name = "hmac_sha1",
173                 .backend_cra_name = "hmac(sha1)",
174         }, {
175                 .flags = DRBG_HMAC | DRBG_STRENGTH256,
176                 .statelen = 48, /* block length of cipher */
177                 .blocklen_bytes = 48,
178                 .cra_name = "hmac_sha384",
179                 .backend_cra_name = "hmac(sha384)",
180         }, {
181                 .flags = DRBG_HMAC | DRBG_STRENGTH256,
182                 .statelen = 32, /* block length of cipher */
183                 .blocklen_bytes = 32,
184                 .cra_name = "hmac_sha256",
185                 .backend_cra_name = "hmac(sha256)",
186         }, {
187                 .flags = DRBG_HMAC | DRBG_STRENGTH256,
188                 .statelen = 64, /* block length of cipher */
189                 .blocklen_bytes = 64,
190                 .cra_name = "hmac_sha512",
191                 .backend_cra_name = "hmac(sha512)",
192         },
193 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
194 };
195
196 static int drbg_uninstantiate(struct drbg_state *drbg);
197
198 /******************************************************************
199  * Generic helper functions
200  ******************************************************************/
201
202 /*
203  * Return strength of DRBG according to SP800-90A section 8.4
204  *
205  * @flags DRBG flags reference
206  *
207  * Return: normalized strength in *bytes* value or 32 as default
208  *         to counter programming errors
209  */
210 static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
211 {
212         switch (flags & DRBG_STRENGTH_MASK) {
213         case DRBG_STRENGTH128:
214                 return 16;
215         case DRBG_STRENGTH192:
216                 return 24;
217         case DRBG_STRENGTH256:
218                 return 32;
219         default:
220                 return 32;
221         }
222 }
223
224 /*
225  * FIPS 140-2 continuous self test for the noise source
226  * The test is performed on the noise source input data. Thus, the function
227  * implicitly knows the size of the buffer to be equal to the security
228  * strength.
229  *
230  * Note, this function disregards the nonce trailing the entropy data during
231  * initial seeding.
232  *
233  * drbg->drbg_mutex must have been taken.
234  *
235  * @drbg DRBG handle
236  * @entropy buffer of seed data to be checked
237  *
238  * return:
239  *      0 on success
240  *      -EAGAIN on when the CTRNG is not yet primed
241  *      < 0 on error
242  */
243 static int drbg_fips_continuous_test(struct drbg_state *drbg,
244                                      const unsigned char *entropy)
245 {
246         unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
247         int ret = 0;
248
249         if (!IS_ENABLED(CONFIG_CRYPTO_FIPS))
250                 return 0;
251
252         /* skip test if we test the overall system */
253         if (list_empty(&drbg->test_data.list))
254                 return 0;
255         /* only perform test in FIPS mode */
256         if (!fips_enabled)
257                 return 0;
258
259         if (!drbg->fips_primed) {
260                 /* Priming of FIPS test */
261                 memcpy(drbg->prev, entropy, entropylen);
262                 drbg->fips_primed = true;
263                 /* priming: another round is needed */
264                 return -EAGAIN;
265         }
266         ret = memcmp(drbg->prev, entropy, entropylen);
267         if (!ret)
268                 panic("DRBG continuous self test failed\n");
269         memcpy(drbg->prev, entropy, entropylen);
270
271         /* the test shall pass when the two values are not equal */
272         return 0;
273 }
274
275 /*
276  * Convert an integer into a byte representation of this integer.
277  * The byte representation is big-endian
278  *
279  * @val value to be converted
280  * @buf buffer holding the converted integer -- caller must ensure that
281  *      buffer size is at least 32 bit
282  */
283 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR))
284 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf)
285 {
286         struct s {
287                 __be32 conv;
288         };
289         struct s *conversion = (struct s *) buf;
290
291         conversion->conv = cpu_to_be32(val);
292 }
293 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */
294
295 /******************************************************************
296  * CTR DRBG callback functions
297  ******************************************************************/
298
299 #ifdef CONFIG_CRYPTO_DRBG_CTR
300 #define CRYPTO_DRBG_CTR_STRING "CTR "
301 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
302 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
303 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
304 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
305 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
306 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
307
308 static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
309                                  const unsigned char *key);
310 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
311                           const struct drbg_string *in);
312 static int drbg_init_sym_kernel(struct drbg_state *drbg);
313 static int drbg_fini_sym_kernel(struct drbg_state *drbg);
314 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
315                               u8 *inbuf, u32 inbuflen,
316                               u8 *outbuf, u32 outlen);
317 #define DRBG_OUTSCRATCHLEN 256
318
319 /* BCC function for CTR DRBG as defined in 10.4.3 */
320 static int drbg_ctr_bcc(struct drbg_state *drbg,
321                         unsigned char *out, const unsigned char *key,
322                         struct list_head *in)
323 {
324         int ret = 0;
325         struct drbg_string *curr = NULL;
326         struct drbg_string data;
327         short cnt = 0;
328
329         drbg_string_fill(&data, out, drbg_blocklen(drbg));
330
331         /* 10.4.3 step 2 / 4 */
332         drbg_kcapi_symsetkey(drbg, key);
333         list_for_each_entry(curr, in, list) {
334                 const unsigned char *pos = curr->buf;
335                 size_t len = curr->len;
336                 /* 10.4.3 step 4.1 */
337                 while (len) {
338                         /* 10.4.3 step 4.2 */
339                         if (drbg_blocklen(drbg) == cnt) {
340                                 cnt = 0;
341                                 ret = drbg_kcapi_sym(drbg, out, &data);
342                                 if (ret)
343                                         return ret;
344                         }
345                         out[cnt] ^= *pos;
346                         pos++;
347                         cnt++;
348                         len--;
349                 }
350         }
351         /* 10.4.3 step 4.2 for last block */
352         if (cnt)
353                 ret = drbg_kcapi_sym(drbg, out, &data);
354
355         return ret;
356 }
357
358 /*
359  * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df
360  * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
361  * the scratchpad is used as follows:
362  * drbg_ctr_update:
363  *      temp
364  *              start: drbg->scratchpad
365  *              length: drbg_statelen(drbg) + drbg_blocklen(drbg)
366  *                      note: the cipher writing into this variable works
367  *                      blocklen-wise. Now, when the statelen is not a multiple
368  *                      of blocklen, the generateion loop below "spills over"
369  *                      by at most blocklen. Thus, we need to give sufficient
370  *                      memory.
371  *      df_data
372  *              start: drbg->scratchpad +
373  *                              drbg_statelen(drbg) + drbg_blocklen(drbg)
374  *              length: drbg_statelen(drbg)
375  *
376  * drbg_ctr_df:
377  *      pad
378  *              start: df_data + drbg_statelen(drbg)
379  *              length: drbg_blocklen(drbg)
380  *      iv
381  *              start: pad + drbg_blocklen(drbg)
382  *              length: drbg_blocklen(drbg)
383  *      temp
384  *              start: iv + drbg_blocklen(drbg)
385  *              length: drbg_satelen(drbg) + drbg_blocklen(drbg)
386  *                      note: temp is the buffer that the BCC function operates
387  *                      on. BCC operates blockwise. drbg_statelen(drbg)
388  *                      is sufficient when the DRBG state length is a multiple
389  *                      of the block size. For AES192 (and maybe other ciphers)
390  *                      this is not correct and the length for temp is
391  *                      insufficient (yes, that also means for such ciphers,
392  *                      the final output of all BCC rounds are truncated).
393  *                      Therefore, add drbg_blocklen(drbg) to cover all
394  *                      possibilities.
395  */
396
397 /* Derivation Function for CTR DRBG as defined in 10.4.2 */
398 static int drbg_ctr_df(struct drbg_state *drbg,
399                        unsigned char *df_data, size_t bytes_to_return,
400                        struct list_head *seedlist)
401 {
402         int ret = -EFAULT;
403         unsigned char L_N[8];
404         /* S3 is input */
405         struct drbg_string S1, S2, S4, cipherin;
406         LIST_HEAD(bcc_list);
407         unsigned char *pad = df_data + drbg_statelen(drbg);
408         unsigned char *iv = pad + drbg_blocklen(drbg);
409         unsigned char *temp = iv + drbg_blocklen(drbg);
410         size_t padlen = 0;
411         unsigned int templen = 0;
412         /* 10.4.2 step 7 */
413         unsigned int i = 0;
414         /* 10.4.2 step 8 */
415         const unsigned char *K = (unsigned char *)
416                            "\x00\x01\x02\x03\x04\x05\x06\x07"
417                            "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
418                            "\x10\x11\x12\x13\x14\x15\x16\x17"
419                            "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
420         unsigned char *X;
421         size_t generated_len = 0;
422         size_t inputlen = 0;
423         struct drbg_string *seed = NULL;
424
425         memset(pad, 0, drbg_blocklen(drbg));
426         memset(iv, 0, drbg_blocklen(drbg));
427
428         /* 10.4.2 step 1 is implicit as we work byte-wise */
429
430         /* 10.4.2 step 2 */
431         if ((512/8) < bytes_to_return)
432                 return -EINVAL;
433
434         /* 10.4.2 step 2 -- calculate the entire length of all input data */
435         list_for_each_entry(seed, seedlist, list)
436                 inputlen += seed->len;
437         drbg_cpu_to_be32(inputlen, &L_N[0]);
438
439         /* 10.4.2 step 3 */
440         drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
441
442         /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */
443         padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
444         /* wrap the padlen appropriately */
445         if (padlen)
446                 padlen = drbg_blocklen(drbg) - padlen;
447         /*
448          * pad / padlen contains the 0x80 byte and the following zero bytes.
449          * As the calculated padlen value only covers the number of zero
450          * bytes, this value has to be incremented by one for the 0x80 byte.
451          */
452         padlen++;
453         pad[0] = 0x80;
454
455         /* 10.4.2 step 4 -- first fill the linked list and then order it */
456         drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
457         list_add_tail(&S1.list, &bcc_list);
458         drbg_string_fill(&S2, L_N, sizeof(L_N));
459         list_add_tail(&S2.list, &bcc_list);
460         list_splice_tail(seedlist, &bcc_list);
461         drbg_string_fill(&S4, pad, padlen);
462         list_add_tail(&S4.list, &bcc_list);
463
464         /* 10.4.2 step 9 */
465         while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
466                 /*
467                  * 10.4.2 step 9.1 - the padding is implicit as the buffer
468                  * holds zeros after allocation -- even the increment of i
469                  * is irrelevant as the increment remains within length of i
470                  */
471                 drbg_cpu_to_be32(i, iv);
472                 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */
473                 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
474                 if (ret)
475                         goto out;
476                 /* 10.4.2 step 9.3 */
477                 i++;
478                 templen += drbg_blocklen(drbg);
479         }
480
481         /* 10.4.2 step 11 */
482         X = temp + (drbg_keylen(drbg));
483         drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
484
485         /* 10.4.2 step 12: overwriting of outval is implemented in next step */
486
487         /* 10.4.2 step 13 */
488         drbg_kcapi_symsetkey(drbg, temp);
489         while (generated_len < bytes_to_return) {
490                 short blocklen = 0;
491                 /*
492                  * 10.4.2 step 13.1: the truncation of the key length is
493                  * implicit as the key is only drbg_blocklen in size based on
494                  * the implementation of the cipher function callback
495                  */
496                 ret = drbg_kcapi_sym(drbg, X, &cipherin);
497                 if (ret)
498                         goto out;
499                 blocklen = (drbg_blocklen(drbg) <
500                                 (bytes_to_return - generated_len)) ?
501                             drbg_blocklen(drbg) :
502                                 (bytes_to_return - generated_len);
503                 /* 10.4.2 step 13.2 and 14 */
504                 memcpy(df_data + generated_len, X, blocklen);
505                 generated_len += blocklen;
506         }
507
508         ret = 0;
509
510 out:
511         memset(iv, 0, drbg_blocklen(drbg));
512         memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
513         memset(pad, 0, drbg_blocklen(drbg));
514         return ret;
515 }
516
517 /*
518  * update function of CTR DRBG as defined in 10.2.1.2
519  *
520  * The reseed variable has an enhanced meaning compared to the update
521  * functions of the other DRBGs as follows:
522  * 0 => initial seed from initialization
523  * 1 => reseed via drbg_seed
524  * 2 => first invocation from drbg_ctr_update when addtl is present. In
525  *      this case, the df_data scratchpad is not deleted so that it is
526  *      available for another calls to prevent calling the DF function
527  *      again.
528  * 3 => second invocation from drbg_ctr_update. When the update function
529  *      was called with addtl, the df_data memory already contains the
530  *      DFed addtl information and we do not need to call DF again.
531  */
532 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
533                            int reseed)
534 {
535         int ret = -EFAULT;
536         /* 10.2.1.2 step 1 */
537         unsigned char *temp = drbg->scratchpad;
538         unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
539                                  drbg_blocklen(drbg);
540
541         if (3 > reseed)
542                 memset(df_data, 0, drbg_statelen(drbg));
543
544         if (!reseed) {
545                 /*
546                  * The DRBG uses the CTR mode of the underlying AES cipher. The
547                  * CTR mode increments the counter value after the AES operation
548                  * but SP800-90A requires that the counter is incremented before
549                  * the AES operation. Hence, we increment it at the time we set
550                  * it by one.
551                  */
552                 crypto_inc(drbg->V, drbg_blocklen(drbg));
553
554                 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,
555                                              drbg_keylen(drbg));
556                 if (ret)
557                         goto out;
558         }
559
560         /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
561         if (seed) {
562                 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
563                 if (ret)
564                         goto out;
565         }
566
567         ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg),
568                                  temp, drbg_statelen(drbg));
569         if (ret)
570                 return ret;
571
572         /* 10.2.1.2 step 5 */
573         ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,
574                                      drbg_keylen(drbg));
575         if (ret)
576                 goto out;
577         /* 10.2.1.2 step 6 */
578         memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
579         /* See above: increment counter by one to compensate timing of CTR op */
580         crypto_inc(drbg->V, drbg_blocklen(drbg));
581         ret = 0;
582
583 out:
584         memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
585         if (2 != reseed)
586                 memset(df_data, 0, drbg_statelen(drbg));
587         return ret;
588 }
589
590 /*
591  * scratchpad use: drbg_ctr_update is called independently from
592  * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
593  */
594 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
595 static int drbg_ctr_generate(struct drbg_state *drbg,
596                              unsigned char *buf, unsigned int buflen,
597                              struct list_head *addtl)
598 {
599         int ret;
600         int len = min_t(int, buflen, INT_MAX);
601
602         /* 10.2.1.5.2 step 2 */
603         if (addtl && !list_empty(addtl)) {
604                 ret = drbg_ctr_update(drbg, addtl, 2);
605                 if (ret)
606                         return 0;
607         }
608
609         /* 10.2.1.5.2 step 4.1 */
610         ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len);
611         if (ret)
612                 return ret;
613
614         /* 10.2.1.5.2 step 6 */
615         ret = drbg_ctr_update(drbg, NULL, 3);
616         if (ret)
617                 len = ret;
618
619         return len;
620 }
621
622 static const struct drbg_state_ops drbg_ctr_ops = {
623         .update         = drbg_ctr_update,
624         .generate       = drbg_ctr_generate,
625         .crypto_init    = drbg_init_sym_kernel,
626         .crypto_fini    = drbg_fini_sym_kernel,
627 };
628 #endif /* CONFIG_CRYPTO_DRBG_CTR */
629
630 /******************************************************************
631  * HMAC DRBG callback functions
632  ******************************************************************/
633
634 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
635 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
636                            const struct list_head *in);
637 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
638                                   const unsigned char *key);
639 static int drbg_init_hash_kernel(struct drbg_state *drbg);
640 static int drbg_fini_hash_kernel(struct drbg_state *drbg);
641 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
642
643 #ifdef CONFIG_CRYPTO_DRBG_HMAC
644 #define CRYPTO_DRBG_HMAC_STRING "HMAC "
645 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
646 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
647 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
648 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
649 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
650 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
651 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1");
652 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1");
653
654 /* update function of HMAC DRBG as defined in 10.1.2.2 */
655 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
656                             int reseed)
657 {
658         int ret = -EFAULT;
659         int i = 0;
660         struct drbg_string seed1, seed2, vdata;
661         LIST_HEAD(seedlist);
662         LIST_HEAD(vdatalist);
663
664         if (!reseed) {
665                 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */
666                 memset(drbg->V, 1, drbg_statelen(drbg));
667                 drbg_kcapi_hmacsetkey(drbg, drbg->C);
668         }
669
670         drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
671         list_add_tail(&seed1.list, &seedlist);
672         /* buffer of seed2 will be filled in for loop below with one byte */
673         drbg_string_fill(&seed2, NULL, 1);
674         list_add_tail(&seed2.list, &seedlist);
675         /* input data of seed is allowed to be NULL at this point */
676         if (seed)
677                 list_splice_tail(seed, &seedlist);
678
679         drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
680         list_add_tail(&vdata.list, &vdatalist);
681         for (i = 2; 0 < i; i--) {
682                 /* first round uses 0x0, second 0x1 */
683                 unsigned char prefix = DRBG_PREFIX0;
684                 if (1 == i)
685                         prefix = DRBG_PREFIX1;
686                 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
687                 seed2.buf = &prefix;
688                 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
689                 if (ret)
690                         return ret;
691                 drbg_kcapi_hmacsetkey(drbg, drbg->C);
692
693                 /* 10.1.2.2 step 2 and 5 -- HMAC for V */
694                 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
695                 if (ret)
696                         return ret;
697
698                 /* 10.1.2.2 step 3 */
699                 if (!seed)
700                         return ret;
701         }
702
703         return 0;
704 }
705
706 /* generate function of HMAC DRBG as defined in 10.1.2.5 */
707 static int drbg_hmac_generate(struct drbg_state *drbg,
708                               unsigned char *buf,
709                               unsigned int buflen,
710                               struct list_head *addtl)
711 {
712         int len = 0;
713         int ret = 0;
714         struct drbg_string data;
715         LIST_HEAD(datalist);
716
717         /* 10.1.2.5 step 2 */
718         if (addtl && !list_empty(addtl)) {
719                 ret = drbg_hmac_update(drbg, addtl, 1);
720                 if (ret)
721                         return ret;
722         }
723
724         drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
725         list_add_tail(&data.list, &datalist);
726         while (len < buflen) {
727                 unsigned int outlen = 0;
728                 /* 10.1.2.5 step 4.1 */
729                 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
730                 if (ret)
731                         return ret;
732                 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
733                           drbg_blocklen(drbg) : (buflen - len);
734
735                 /* 10.1.2.5 step 4.2 */
736                 memcpy(buf + len, drbg->V, outlen);
737                 len += outlen;
738         }
739
740         /* 10.1.2.5 step 6 */
741         if (addtl && !list_empty(addtl))
742                 ret = drbg_hmac_update(drbg, addtl, 1);
743         else
744                 ret = drbg_hmac_update(drbg, NULL, 1);
745         if (ret)
746                 return ret;
747
748         return len;
749 }
750
751 static const struct drbg_state_ops drbg_hmac_ops = {
752         .update         = drbg_hmac_update,
753         .generate       = drbg_hmac_generate,
754         .crypto_init    = drbg_init_hash_kernel,
755         .crypto_fini    = drbg_fini_hash_kernel,
756 };
757 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
758
759 /******************************************************************
760  * Hash DRBG callback functions
761  ******************************************************************/
762
763 #ifdef CONFIG_CRYPTO_DRBG_HASH
764 #define CRYPTO_DRBG_HASH_STRING "HASH "
765 MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
766 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
767 MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
768 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
769 MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
770 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
771 MODULE_ALIAS_CRYPTO("drbg_pr_sha1");
772 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1");
773
774 /*
775  * Increment buffer
776  *
777  * @dst buffer to increment
778  * @add value to add
779  */
780 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
781                                 const unsigned char *add, size_t addlen)
782 {
783         /* implied: dstlen > addlen */
784         unsigned char *dstptr;
785         const unsigned char *addptr;
786         unsigned int remainder = 0;
787         size_t len = addlen;
788
789         dstptr = dst + (dstlen-1);
790         addptr = add + (addlen-1);
791         while (len) {
792                 remainder += *dstptr + *addptr;
793                 *dstptr = remainder & 0xff;
794                 remainder >>= 8;
795                 len--; dstptr--; addptr--;
796         }
797         len = dstlen - addlen;
798         while (len && remainder > 0) {
799                 remainder = *dstptr + 1;
800                 *dstptr = remainder & 0xff;
801                 remainder >>= 8;
802                 len--; dstptr--;
803         }
804 }
805
806 /*
807  * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
808  * interlinked, the scratchpad is used as follows:
809  * drbg_hash_update
810  *      start: drbg->scratchpad
811  *      length: drbg_statelen(drbg)
812  * drbg_hash_df:
813  *      start: drbg->scratchpad + drbg_statelen(drbg)
814  *      length: drbg_blocklen(drbg)
815  *
816  * drbg_hash_process_addtl uses the scratchpad, but fully completes
817  * before either of the functions mentioned before are invoked. Therefore,
818  * drbg_hash_process_addtl does not need to be specifically considered.
819  */
820
821 /* Derivation Function for Hash DRBG as defined in 10.4.1 */
822 static int drbg_hash_df(struct drbg_state *drbg,
823                         unsigned char *outval, size_t outlen,
824                         struct list_head *entropylist)
825 {
826         int ret = 0;
827         size_t len = 0;
828         unsigned char input[5];
829         unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
830         struct drbg_string data;
831
832         /* 10.4.1 step 3 */
833         input[0] = 1;
834         drbg_cpu_to_be32((outlen * 8), &input[1]);
835
836         /* 10.4.1 step 4.1 -- concatenation of data for input into hash */
837         drbg_string_fill(&data, input, 5);
838         list_add(&data.list, entropylist);
839
840         /* 10.4.1 step 4 */
841         while (len < outlen) {
842                 short blocklen = 0;
843                 /* 10.4.1 step 4.1 */
844                 ret = drbg_kcapi_hash(drbg, tmp, entropylist);
845                 if (ret)
846                         goto out;
847                 /* 10.4.1 step 4.2 */
848                 input[0]++;
849                 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
850                             drbg_blocklen(drbg) : (outlen - len);
851                 memcpy(outval + len, tmp, blocklen);
852                 len += blocklen;
853         }
854
855 out:
856         memset(tmp, 0, drbg_blocklen(drbg));
857         return ret;
858 }
859
860 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
861 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
862                             int reseed)
863 {
864         int ret = 0;
865         struct drbg_string data1, data2;
866         LIST_HEAD(datalist);
867         LIST_HEAD(datalist2);
868         unsigned char *V = drbg->scratchpad;
869         unsigned char prefix = DRBG_PREFIX1;
870
871         if (!seed)
872                 return -EINVAL;
873
874         if (reseed) {
875                 /* 10.1.1.3 step 1 */
876                 memcpy(V, drbg->V, drbg_statelen(drbg));
877                 drbg_string_fill(&data1, &prefix, 1);
878                 list_add_tail(&data1.list, &datalist);
879                 drbg_string_fill(&data2, V, drbg_statelen(drbg));
880                 list_add_tail(&data2.list, &datalist);
881         }
882         list_splice_tail(seed, &datalist);
883
884         /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
885         ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
886         if (ret)
887                 goto out;
888
889         /* 10.1.1.2 / 10.1.1.3 step 4  */
890         prefix = DRBG_PREFIX0;
891         drbg_string_fill(&data1, &prefix, 1);
892         list_add_tail(&data1.list, &datalist2);
893         drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
894         list_add_tail(&data2.list, &datalist2);
895         /* 10.1.1.2 / 10.1.1.3 step 4 */
896         ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
897
898 out:
899         memset(drbg->scratchpad, 0, drbg_statelen(drbg));
900         return ret;
901 }
902
903 /* processing of additional information string for Hash DRBG */
904 static int drbg_hash_process_addtl(struct drbg_state *drbg,
905                                    struct list_head *addtl)
906 {
907         int ret = 0;
908         struct drbg_string data1, data2;
909         LIST_HEAD(datalist);
910         unsigned char prefix = DRBG_PREFIX2;
911
912         /* 10.1.1.4 step 2 */
913         if (!addtl || list_empty(addtl))
914                 return 0;
915
916         /* 10.1.1.4 step 2a */
917         drbg_string_fill(&data1, &prefix, 1);
918         drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
919         list_add_tail(&data1.list, &datalist);
920         list_add_tail(&data2.list, &datalist);
921         list_splice_tail(addtl, &datalist);
922         ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
923         if (ret)
924                 goto out;
925
926         /* 10.1.1.4 step 2b */
927         drbg_add_buf(drbg->V, drbg_statelen(drbg),
928                      drbg->scratchpad, drbg_blocklen(drbg));
929
930 out:
931         memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
932         return ret;
933 }
934
935 /* Hashgen defined in 10.1.1.4 */
936 static int drbg_hash_hashgen(struct drbg_state *drbg,
937                              unsigned char *buf,
938                              unsigned int buflen)
939 {
940         int len = 0;
941         int ret = 0;
942         unsigned char *src = drbg->scratchpad;
943         unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
944         struct drbg_string data;
945         LIST_HEAD(datalist);
946
947         /* 10.1.1.4 step hashgen 2 */
948         memcpy(src, drbg->V, drbg_statelen(drbg));
949
950         drbg_string_fill(&data, src, drbg_statelen(drbg));
951         list_add_tail(&data.list, &datalist);
952         while (len < buflen) {
953                 unsigned int outlen = 0;
954                 /* 10.1.1.4 step hashgen 4.1 */
955                 ret = drbg_kcapi_hash(drbg, dst, &datalist);
956                 if (ret) {
957                         len = ret;
958                         goto out;
959                 }
960                 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
961                           drbg_blocklen(drbg) : (buflen - len);
962                 /* 10.1.1.4 step hashgen 4.2 */
963                 memcpy(buf + len, dst, outlen);
964                 len += outlen;
965                 /* 10.1.1.4 hashgen step 4.3 */
966                 if (len < buflen)
967                         crypto_inc(src, drbg_statelen(drbg));
968         }
969
970 out:
971         memset(drbg->scratchpad, 0,
972                (drbg_statelen(drbg) + drbg_blocklen(drbg)));
973         return len;
974 }
975
976 /* generate function for Hash DRBG as defined in  10.1.1.4 */
977 static int drbg_hash_generate(struct drbg_state *drbg,
978                               unsigned char *buf, unsigned int buflen,
979                               struct list_head *addtl)
980 {
981         int len = 0;
982         int ret = 0;
983         union {
984                 unsigned char req[8];
985                 __be64 req_int;
986         } u;
987         unsigned char prefix = DRBG_PREFIX3;
988         struct drbg_string data1, data2;
989         LIST_HEAD(datalist);
990
991         /* 10.1.1.4 step 2 */
992         ret = drbg_hash_process_addtl(drbg, addtl);
993         if (ret)
994                 return ret;
995         /* 10.1.1.4 step 3 */
996         len = drbg_hash_hashgen(drbg, buf, buflen);
997
998         /* this is the value H as documented in 10.1.1.4 */
999         /* 10.1.1.4 step 4 */
1000         drbg_string_fill(&data1, &prefix, 1);
1001         list_add_tail(&data1.list, &datalist);
1002         drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
1003         list_add_tail(&data2.list, &datalist);
1004         ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
1005         if (ret) {
1006                 len = ret;
1007                 goto out;
1008         }
1009
1010         /* 10.1.1.4 step 5 */
1011         drbg_add_buf(drbg->V, drbg_statelen(drbg),
1012                      drbg->scratchpad, drbg_blocklen(drbg));
1013         drbg_add_buf(drbg->V, drbg_statelen(drbg),
1014                      drbg->C, drbg_statelen(drbg));
1015         u.req_int = cpu_to_be64(drbg->reseed_ctr);
1016         drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
1017
1018 out:
1019         memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
1020         return len;
1021 }
1022
1023 /*
1024  * scratchpad usage: as update and generate are used isolated, both
1025  * can use the scratchpad
1026  */
1027 static const struct drbg_state_ops drbg_hash_ops = {
1028         .update         = drbg_hash_update,
1029         .generate       = drbg_hash_generate,
1030         .crypto_init    = drbg_init_hash_kernel,
1031         .crypto_fini    = drbg_fini_hash_kernel,
1032 };
1033 #endif /* CONFIG_CRYPTO_DRBG_HASH */
1034
1035 /******************************************************************
1036  * Functions common for DRBG implementations
1037  ******************************************************************/
1038
1039 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
1040                               int reseed, enum drbg_seed_state new_seed_state)
1041 {
1042         int ret = drbg->d_ops->update(drbg, seed, reseed);
1043
1044         if (ret)
1045                 return ret;
1046
1047         drbg->seeded = new_seed_state;
1048         drbg->last_seed_time = jiffies;
1049         /* 10.1.1.2 / 10.1.1.3 step 5 */
1050         drbg->reseed_ctr = 1;
1051
1052         switch (drbg->seeded) {
1053         case DRBG_SEED_STATE_UNSEEDED:
1054                 /* Impossible, but handle it to silence compiler warnings. */
1055                 fallthrough;
1056         case DRBG_SEED_STATE_PARTIAL:
1057                 /*
1058                  * Require frequent reseeds until the seed source is
1059                  * fully initialized.
1060                  */
1061                 drbg->reseed_threshold = 50;
1062                 break;
1063
1064         case DRBG_SEED_STATE_FULL:
1065                 /*
1066                  * Seed source has become fully initialized, frequent
1067                  * reseeds no longer required.
1068                  */
1069                 drbg->reseed_threshold = drbg_max_requests(drbg);
1070                 break;
1071         }
1072
1073         return ret;
1074 }
1075
1076 static inline int drbg_get_random_bytes(struct drbg_state *drbg,
1077                                         unsigned char *entropy,
1078                                         unsigned int entropylen)
1079 {
1080         int ret;
1081
1082         do {
1083                 get_random_bytes(entropy, entropylen);
1084                 ret = drbg_fips_continuous_test(drbg, entropy);
1085                 if (ret && ret != -EAGAIN)
1086                         return ret;
1087         } while (ret);
1088
1089         return 0;
1090 }
1091
1092 static int drbg_seed_from_random(struct drbg_state *drbg)
1093 {
1094         struct drbg_string data;
1095         LIST_HEAD(seedlist);
1096         unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1097         unsigned char entropy[32];
1098         int ret;
1099
1100         BUG_ON(!entropylen);
1101         BUG_ON(entropylen > sizeof(entropy));
1102
1103         drbg_string_fill(&data, entropy, entropylen);
1104         list_add_tail(&data.list, &seedlist);
1105
1106         ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1107         if (ret)
1108                 goto out;
1109
1110         ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
1111
1112 out:
1113         memzero_explicit(entropy, entropylen);
1114         return ret;
1115 }
1116
1117 static bool drbg_nopr_reseed_interval_elapsed(struct drbg_state *drbg)
1118 {
1119         unsigned long next_reseed;
1120
1121         /* Don't ever reseed from get_random_bytes() in test mode. */
1122         if (list_empty(&drbg->test_data.list))
1123                 return false;
1124
1125         /*
1126          * Obtain fresh entropy for the nopr DRBGs after 300s have
1127          * elapsed in order to still achieve sort of partial
1128          * prediction resistance over the time domain at least. Note
1129          * that the period of 300s has been chosen to match the
1130          * CRNG_RESEED_INTERVAL of the get_random_bytes()' chacha
1131          * rngs.
1132          */
1133         next_reseed = drbg->last_seed_time + 300 * HZ;
1134         return time_after(jiffies, next_reseed);
1135 }
1136
1137 /*
1138  * Seeding or reseeding of the DRBG
1139  *
1140  * @drbg: DRBG state struct
1141  * @pers: personalization / additional information buffer
1142  * @reseed: 0 for initial seed process, 1 for reseeding
1143  *
1144  * return:
1145  *      0 on success
1146  *      error value otherwise
1147  */
1148 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1149                      bool reseed)
1150 {
1151         int ret;
1152         unsigned char entropy[((32 + 16) * 2)];
1153         unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1154         struct drbg_string data1;
1155         LIST_HEAD(seedlist);
1156         enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL;
1157
1158         /* 9.1 / 9.2 / 9.3.1 step 3 */
1159         if (pers && pers->len > (drbg_max_addtl(drbg))) {
1160                 pr_devel("DRBG: personalization string too long %zu\n",
1161                          pers->len);
1162                 return -EINVAL;
1163         }
1164
1165         if (list_empty(&drbg->test_data.list)) {
1166                 drbg_string_fill(&data1, drbg->test_data.buf,
1167                                  drbg->test_data.len);
1168                 pr_devel("DRBG: using test entropy\n");
1169         } else {
1170                 /*
1171                  * Gather entropy equal to the security strength of the DRBG.
1172                  * With a derivation function, a nonce is required in addition
1173                  * to the entropy. A nonce must be at least 1/2 of the security
1174                  * strength of the DRBG in size. Thus, entropy + nonce is 3/2
1175                  * of the strength. The consideration of a nonce is only
1176                  * applicable during initial seeding.
1177                  */
1178                 BUG_ON(!entropylen);
1179                 if (!reseed)
1180                         entropylen = ((entropylen + 1) / 2) * 3;
1181                 BUG_ON((entropylen * 2) > sizeof(entropy));
1182
1183                 /* Get seed from in-kernel /dev/urandom */
1184                 if (!rng_is_initialized())
1185                         new_seed_state = DRBG_SEED_STATE_PARTIAL;
1186
1187                 ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1188                 if (ret)
1189                         goto out;
1190
1191                 if (!drbg->jent) {
1192                         drbg_string_fill(&data1, entropy, entropylen);
1193                         pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1194                                  entropylen);
1195                 } else {
1196                         /*
1197                          * Get seed from Jitter RNG, failures are
1198                          * fatal only in FIPS mode.
1199                          */
1200                         ret = crypto_rng_get_bytes(drbg->jent,
1201                                                    entropy + entropylen,
1202                                                    entropylen);
1203                         if (fips_enabled && ret) {
1204                                 pr_devel("DRBG: jent failed with %d\n", ret);
1205
1206                                 /*
1207                                  * Do not treat the transient failure of the
1208                                  * Jitter RNG as an error that needs to be
1209                                  * reported. The combined number of the
1210                                  * maximum reseed threshold times the maximum
1211                                  * number of Jitter RNG transient errors is
1212                                  * less than the reseed threshold required by
1213                                  * SP800-90A allowing us to treat the
1214                                  * transient errors as such.
1215                                  *
1216                                  * However, we mandate that at least the first
1217                                  * seeding operation must succeed with the
1218                                  * Jitter RNG.
1219                                  */
1220                                 if (!reseed || ret != -EAGAIN)
1221                                         goto out;
1222                         }
1223
1224                         drbg_string_fill(&data1, entropy, entropylen * 2);
1225                         pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1226                                  entropylen * 2);
1227                 }
1228         }
1229         list_add_tail(&data1.list, &seedlist);
1230
1231         /*
1232          * concatenation of entropy with personalization str / addtl input)
1233          * the variable pers is directly handed in by the caller, so check its
1234          * contents whether it is appropriate
1235          */
1236         if (pers && pers->buf && 0 < pers->len) {
1237                 list_add_tail(&pers->list, &seedlist);
1238                 pr_devel("DRBG: using personalization string\n");
1239         }
1240
1241         if (!reseed) {
1242                 memset(drbg->V, 0, drbg_statelen(drbg));
1243                 memset(drbg->C, 0, drbg_statelen(drbg));
1244         }
1245
1246         ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state);
1247
1248 out:
1249         memzero_explicit(entropy, entropylen * 2);
1250
1251         return ret;
1252 }
1253
1254 /* Free all substructures in a DRBG state without the DRBG state structure */
1255 static inline void drbg_dealloc_state(struct drbg_state *drbg)
1256 {
1257         if (!drbg)
1258                 return;
1259         kfree_sensitive(drbg->Vbuf);
1260         drbg->Vbuf = NULL;
1261         drbg->V = NULL;
1262         kfree_sensitive(drbg->Cbuf);
1263         drbg->Cbuf = NULL;
1264         drbg->C = NULL;
1265         kfree_sensitive(drbg->scratchpadbuf);
1266         drbg->scratchpadbuf = NULL;
1267         drbg->reseed_ctr = 0;
1268         drbg->d_ops = NULL;
1269         drbg->core = NULL;
1270         if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1271                 kfree_sensitive(drbg->prev);
1272                 drbg->prev = NULL;
1273                 drbg->fips_primed = false;
1274         }
1275 }
1276
1277 /*
1278  * Allocate all sub-structures for a DRBG state.
1279  * The DRBG state structure must already be allocated.
1280  */
1281 static inline int drbg_alloc_state(struct drbg_state *drbg)
1282 {
1283         int ret = -ENOMEM;
1284         unsigned int sb_size = 0;
1285
1286         switch (drbg->core->flags & DRBG_TYPE_MASK) {
1287 #ifdef CONFIG_CRYPTO_DRBG_HMAC
1288         case DRBG_HMAC:
1289                 drbg->d_ops = &drbg_hmac_ops;
1290                 break;
1291 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
1292 #ifdef CONFIG_CRYPTO_DRBG_HASH
1293         case DRBG_HASH:
1294                 drbg->d_ops = &drbg_hash_ops;
1295                 break;
1296 #endif /* CONFIG_CRYPTO_DRBG_HASH */
1297 #ifdef CONFIG_CRYPTO_DRBG_CTR
1298         case DRBG_CTR:
1299                 drbg->d_ops = &drbg_ctr_ops;
1300                 break;
1301 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1302         default:
1303                 ret = -EOPNOTSUPP;
1304                 goto err;
1305         }
1306
1307         ret = drbg->d_ops->crypto_init(drbg);
1308         if (ret < 0)
1309                 goto err;
1310
1311         drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1312         if (!drbg->Vbuf) {
1313                 ret = -ENOMEM;
1314                 goto fini;
1315         }
1316         drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);
1317         drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1318         if (!drbg->Cbuf) {
1319                 ret = -ENOMEM;
1320                 goto fini;
1321         }
1322         drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);
1323         /* scratchpad is only generated for CTR and Hash */
1324         if (drbg->core->flags & DRBG_HMAC)
1325                 sb_size = 0;
1326         else if (drbg->core->flags & DRBG_CTR)
1327                 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */
1328                           drbg_statelen(drbg) + /* df_data */
1329                           drbg_blocklen(drbg) + /* pad */
1330                           drbg_blocklen(drbg) + /* iv */
1331                           drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */
1332         else
1333                 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1334
1335         if (0 < sb_size) {
1336                 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);
1337                 if (!drbg->scratchpadbuf) {
1338                         ret = -ENOMEM;
1339                         goto fini;
1340                 }
1341                 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
1342         }
1343
1344         if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1345                 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
1346                                      GFP_KERNEL);
1347                 if (!drbg->prev) {
1348                         ret = -ENOMEM;
1349                         goto fini;
1350                 }
1351                 drbg->fips_primed = false;
1352         }
1353
1354         return 0;
1355
1356 fini:
1357         drbg->d_ops->crypto_fini(drbg);
1358 err:
1359         drbg_dealloc_state(drbg);
1360         return ret;
1361 }
1362
1363 /*************************************************************************
1364  * DRBG interface functions
1365  *************************************************************************/
1366
1367 /*
1368  * DRBG generate function as required by SP800-90A - this function
1369  * generates random numbers
1370  *
1371  * @drbg DRBG state handle
1372  * @buf Buffer where to store the random numbers -- the buffer must already
1373  *      be pre-allocated by caller
1374  * @buflen Length of output buffer - this value defines the number of random
1375  *         bytes pulled from DRBG
1376  * @addtl Additional input that is mixed into state, may be NULL -- note
1377  *        the entropy is pulled by the DRBG internally unconditionally
1378  *        as defined in SP800-90A. The additional input is mixed into
1379  *        the state in addition to the pulled entropy.
1380  *
1381  * return: 0 when all bytes are generated; < 0 in case of an error
1382  */
1383 static int drbg_generate(struct drbg_state *drbg,
1384                          unsigned char *buf, unsigned int buflen,
1385                          struct drbg_string *addtl)
1386 {
1387         int len = 0;
1388         LIST_HEAD(addtllist);
1389
1390         if (!drbg->core) {
1391                 pr_devel("DRBG: not yet seeded\n");
1392                 return -EINVAL;
1393         }
1394         if (0 == buflen || !buf) {
1395                 pr_devel("DRBG: no output buffer provided\n");
1396                 return -EINVAL;
1397         }
1398         if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1399                 pr_devel("DRBG: wrong format of additional information\n");
1400                 return -EINVAL;
1401         }
1402
1403         /* 9.3.1 step 2 */
1404         len = -EINVAL;
1405         if (buflen > (drbg_max_request_bytes(drbg))) {
1406                 pr_devel("DRBG: requested random numbers too large %u\n",
1407                          buflen);
1408                 goto err;
1409         }
1410
1411         /* 9.3.1 step 3 is implicit with the chosen DRBG */
1412
1413         /* 9.3.1 step 4 */
1414         if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1415                 pr_devel("DRBG: additional information string too long %zu\n",
1416                          addtl->len);
1417                 goto err;
1418         }
1419         /* 9.3.1 step 5 is implicit with the chosen DRBG */
1420
1421         /*
1422          * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented
1423          * here. The spec is a bit convoluted here, we make it simpler.
1424          */
1425         if (drbg->reseed_threshold < drbg->reseed_ctr)
1426                 drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1427
1428         if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) {
1429                 pr_devel("DRBG: reseeding before generation (prediction "
1430                          "resistance: %s, state %s)\n",
1431                          drbg->pr ? "true" : "false",
1432                          (drbg->seeded ==  DRBG_SEED_STATE_FULL ?
1433                           "seeded" : "unseeded"));
1434                 /* 9.3.1 steps 7.1 through 7.3 */
1435                 len = drbg_seed(drbg, addtl, true);
1436                 if (len)
1437                         goto err;
1438                 /* 9.3.1 step 7.4 */
1439                 addtl = NULL;
1440         } else if (rng_is_initialized() &&
1441                    (drbg->seeded == DRBG_SEED_STATE_PARTIAL ||
1442                     drbg_nopr_reseed_interval_elapsed(drbg))) {
1443                 len = drbg_seed_from_random(drbg);
1444                 if (len)
1445                         goto err;
1446         }
1447
1448         if (addtl && 0 < addtl->len)
1449                 list_add_tail(&addtl->list, &addtllist);
1450         /* 9.3.1 step 8 and 10 */
1451         len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1452
1453         /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
1454         drbg->reseed_ctr++;
1455         if (0 >= len)
1456                 goto err;
1457
1458         /*
1459          * Section 11.3.3 requires to re-perform self tests after some
1460          * generated random numbers. The chosen value after which self
1461          * test is performed is arbitrary, but it should be reasonable.
1462          * However, we do not perform the self tests because of the following
1463          * reasons: it is mathematically impossible that the initial self tests
1464          * were successfully and the following are not. If the initial would
1465          * pass and the following would not, the kernel integrity is violated.
1466          * In this case, the entire kernel operation is questionable and it
1467          * is unlikely that the integrity violation only affects the
1468          * correct operation of the DRBG.
1469          *
1470          * Albeit the following code is commented out, it is provided in
1471          * case somebody has a need to implement the test of 11.3.3.
1472          */
1473 #if 0
1474         if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1475                 int err = 0;
1476                 pr_devel("DRBG: start to perform self test\n");
1477                 if (drbg->core->flags & DRBG_HMAC)
1478                         err = alg_test("drbg_pr_hmac_sha256",
1479                                        "drbg_pr_hmac_sha256", 0, 0);
1480                 else if (drbg->core->flags & DRBG_CTR)
1481                         err = alg_test("drbg_pr_ctr_aes128",
1482                                        "drbg_pr_ctr_aes128", 0, 0);
1483                 else
1484                         err = alg_test("drbg_pr_sha256",
1485                                        "drbg_pr_sha256", 0, 0);
1486                 if (err) {
1487                         pr_err("DRBG: periodical self test failed\n");
1488                         /*
1489                          * uninstantiate implies that from now on, only errors
1490                          * are returned when reusing this DRBG cipher handle
1491                          */
1492                         drbg_uninstantiate(drbg);
1493                         return 0;
1494                 } else {
1495                         pr_devel("DRBG: self test successful\n");
1496                 }
1497         }
1498 #endif
1499
1500         /*
1501          * All operations were successful, return 0 as mandated by
1502          * the kernel crypto API interface.
1503          */
1504         len = 0;
1505 err:
1506         return len;
1507 }
1508
1509 /*
1510  * Wrapper around drbg_generate which can pull arbitrary long strings
1511  * from the DRBG without hitting the maximum request limitation.
1512  *
1513  * Parameters: see drbg_generate
1514  * Return codes: see drbg_generate -- if one drbg_generate request fails,
1515  *               the entire drbg_generate_long request fails
1516  */
1517 static int drbg_generate_long(struct drbg_state *drbg,
1518                               unsigned char *buf, unsigned int buflen,
1519                               struct drbg_string *addtl)
1520 {
1521         unsigned int len = 0;
1522         unsigned int slice = 0;
1523         do {
1524                 int err = 0;
1525                 unsigned int chunk = 0;
1526                 slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1527                 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1528                 mutex_lock(&drbg->drbg_mutex);
1529                 err = drbg_generate(drbg, buf + len, chunk, addtl);
1530                 mutex_unlock(&drbg->drbg_mutex);
1531                 if (0 > err)
1532                         return err;
1533                 len += chunk;
1534         } while (slice > 0 && (len < buflen));
1535         return 0;
1536 }
1537
1538 static int drbg_prepare_hrng(struct drbg_state *drbg)
1539 {
1540         /* We do not need an HRNG in test mode. */
1541         if (list_empty(&drbg->test_data.list))
1542                 return 0;
1543
1544         drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1545         if (IS_ERR(drbg->jent)) {
1546                 const int err = PTR_ERR(drbg->jent);
1547
1548                 drbg->jent = NULL;
1549                 if (fips_enabled || err != -ENOENT)
1550                         return err;
1551                 pr_info("DRBG: Continuing without Jitter RNG\n");
1552         }
1553
1554         return 0;
1555 }
1556
1557 /*
1558  * DRBG instantiation function as required by SP800-90A - this function
1559  * sets up the DRBG handle, performs the initial seeding and all sanity
1560  * checks required by SP800-90A
1561  *
1562  * @drbg memory of state -- if NULL, new memory is allocated
1563  * @pers Personalization string that is mixed into state, may be NULL -- note
1564  *       the entropy is pulled by the DRBG internally unconditionally
1565  *       as defined in SP800-90A. The additional input is mixed into
1566  *       the state in addition to the pulled entropy.
1567  * @coreref reference to core
1568  * @pr prediction resistance enabled
1569  *
1570  * return
1571  *      0 on success
1572  *      error value otherwise
1573  */
1574 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1575                             int coreref, bool pr)
1576 {
1577         int ret;
1578         bool reseed = true;
1579
1580         pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1581                  "%s\n", coreref, pr ? "enabled" : "disabled");
1582         mutex_lock(&drbg->drbg_mutex);
1583
1584         /* 9.1 step 1 is implicit with the selected DRBG type */
1585
1586         /*
1587          * 9.1 step 2 is implicit as caller can select prediction resistance
1588          * and the flag is copied into drbg->flags --
1589          * all DRBG types support prediction resistance
1590          */
1591
1592         /* 9.1 step 4 is implicit in  drbg_sec_strength */
1593
1594         if (!drbg->core) {
1595                 drbg->core = &drbg_cores[coreref];
1596                 drbg->pr = pr;
1597                 drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1598                 drbg->last_seed_time = 0;
1599                 drbg->reseed_threshold = drbg_max_requests(drbg);
1600
1601                 ret = drbg_alloc_state(drbg);
1602                 if (ret)
1603                         goto unlock;
1604
1605                 ret = drbg_prepare_hrng(drbg);
1606                 if (ret)
1607                         goto free_everything;
1608
1609                 reseed = false;
1610         }
1611
1612         ret = drbg_seed(drbg, pers, reseed);
1613
1614         if (ret && !reseed)
1615                 goto free_everything;
1616
1617         mutex_unlock(&drbg->drbg_mutex);
1618         return ret;
1619
1620 unlock:
1621         mutex_unlock(&drbg->drbg_mutex);
1622         return ret;
1623
1624 free_everything:
1625         mutex_unlock(&drbg->drbg_mutex);
1626         drbg_uninstantiate(drbg);
1627         return ret;
1628 }
1629
1630 /*
1631  * DRBG uninstantiate function as required by SP800-90A - this function
1632  * frees all buffers and the DRBG handle
1633  *
1634  * @drbg DRBG state handle
1635  *
1636  * return
1637  *      0 on success
1638  */
1639 static int drbg_uninstantiate(struct drbg_state *drbg)
1640 {
1641         if (!IS_ERR_OR_NULL(drbg->jent))
1642                 crypto_free_rng(drbg->jent);
1643         drbg->jent = NULL;
1644
1645         if (drbg->d_ops)
1646                 drbg->d_ops->crypto_fini(drbg);
1647         drbg_dealloc_state(drbg);
1648         /* no scrubbing of test_data -- this shall survive an uninstantiate */
1649         return 0;
1650 }
1651
1652 /*
1653  * Helper function for setting the test data in the DRBG
1654  *
1655  * @drbg DRBG state handle
1656  * @data test data
1657  * @len test data length
1658  */
1659 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
1660                                    const u8 *data, unsigned int len)
1661 {
1662         struct drbg_state *drbg = crypto_rng_ctx(tfm);
1663
1664         mutex_lock(&drbg->drbg_mutex);
1665         drbg_string_fill(&drbg->test_data, data, len);
1666         mutex_unlock(&drbg->drbg_mutex);
1667 }
1668
1669 /***************************************************************
1670  * Kernel crypto API cipher invocations requested by DRBG
1671  ***************************************************************/
1672
1673 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1674 struct sdesc {
1675         struct shash_desc shash;
1676         char ctx[];
1677 };
1678
1679 static int drbg_init_hash_kernel(struct drbg_state *drbg)
1680 {
1681         struct sdesc *sdesc;
1682         struct crypto_shash *tfm;
1683
1684         tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1685         if (IS_ERR(tfm)) {
1686                 pr_info("DRBG: could not allocate digest TFM handle: %s\n",
1687                                 drbg->core->backend_cra_name);
1688                 return PTR_ERR(tfm);
1689         }
1690         BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1691         sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1692                         GFP_KERNEL);
1693         if (!sdesc) {
1694                 crypto_free_shash(tfm);
1695                 return -ENOMEM;
1696         }
1697
1698         sdesc->shash.tfm = tfm;
1699         drbg->priv_data = sdesc;
1700
1701         return crypto_shash_alignmask(tfm);
1702 }
1703
1704 static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1705 {
1706         struct sdesc *sdesc = drbg->priv_data;
1707         if (sdesc) {
1708                 crypto_free_shash(sdesc->shash.tfm);
1709                 kfree_sensitive(sdesc);
1710         }
1711         drbg->priv_data = NULL;
1712         return 0;
1713 }
1714
1715 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
1716                                   const unsigned char *key)
1717 {
1718         struct sdesc *sdesc = drbg->priv_data;
1719
1720         crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1721 }
1722
1723 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
1724                            const struct list_head *in)
1725 {
1726         struct sdesc *sdesc = drbg->priv_data;
1727         struct drbg_string *input = NULL;
1728
1729         crypto_shash_init(&sdesc->shash);
1730         list_for_each_entry(input, in, list)
1731                 crypto_shash_update(&sdesc->shash, input->buf, input->len);
1732         return crypto_shash_final(&sdesc->shash, outval);
1733 }
1734 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
1735
1736 #ifdef CONFIG_CRYPTO_DRBG_CTR
1737 static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1738 {
1739         struct crypto_cipher *tfm =
1740                 (struct crypto_cipher *)drbg->priv_data;
1741         if (tfm)
1742                 crypto_free_cipher(tfm);
1743         drbg->priv_data = NULL;
1744
1745         if (drbg->ctr_handle)
1746                 crypto_free_skcipher(drbg->ctr_handle);
1747         drbg->ctr_handle = NULL;
1748
1749         if (drbg->ctr_req)
1750                 skcipher_request_free(drbg->ctr_req);
1751         drbg->ctr_req = NULL;
1752
1753         kfree(drbg->outscratchpadbuf);
1754         drbg->outscratchpadbuf = NULL;
1755
1756         return 0;
1757 }
1758
1759 static int drbg_init_sym_kernel(struct drbg_state *drbg)
1760 {
1761         struct crypto_cipher *tfm;
1762         struct crypto_skcipher *sk_tfm;
1763         struct skcipher_request *req;
1764         unsigned int alignmask;
1765         char ctr_name[CRYPTO_MAX_ALG_NAME];
1766
1767         tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);
1768         if (IS_ERR(tfm)) {
1769                 pr_info("DRBG: could not allocate cipher TFM handle: %s\n",
1770                                 drbg->core->backend_cra_name);
1771                 return PTR_ERR(tfm);
1772         }
1773         BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm));
1774         drbg->priv_data = tfm;
1775
1776         if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
1777             drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
1778                 drbg_fini_sym_kernel(drbg);
1779                 return -EINVAL;
1780         }
1781         sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0);
1782         if (IS_ERR(sk_tfm)) {
1783                 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n",
1784                                 ctr_name);
1785                 drbg_fini_sym_kernel(drbg);
1786                 return PTR_ERR(sk_tfm);
1787         }
1788         drbg->ctr_handle = sk_tfm;
1789         crypto_init_wait(&drbg->ctr_wait);
1790
1791         req = skcipher_request_alloc(sk_tfm, GFP_KERNEL);
1792         if (!req) {
1793                 pr_info("DRBG: could not allocate request queue\n");
1794                 drbg_fini_sym_kernel(drbg);
1795                 return -ENOMEM;
1796         }
1797         drbg->ctr_req = req;
1798         skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
1799                                                 CRYPTO_TFM_REQ_MAY_SLEEP,
1800                                         crypto_req_done, &drbg->ctr_wait);
1801
1802         alignmask = crypto_skcipher_alignmask(sk_tfm);
1803         drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,
1804                                          GFP_KERNEL);
1805         if (!drbg->outscratchpadbuf) {
1806                 drbg_fini_sym_kernel(drbg);
1807                 return -ENOMEM;
1808         }
1809         drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,
1810                                               alignmask + 1);
1811
1812         sg_init_table(&drbg->sg_in, 1);
1813         sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
1814
1815         return alignmask;
1816 }
1817
1818 static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
1819                                  const unsigned char *key)
1820 {
1821         struct crypto_cipher *tfm = drbg->priv_data;
1822
1823         crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg)));
1824 }
1825
1826 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
1827                           const struct drbg_string *in)
1828 {
1829         struct crypto_cipher *tfm = drbg->priv_data;
1830
1831         /* there is only component in *in */
1832         BUG_ON(in->len < drbg_blocklen(drbg));
1833         crypto_cipher_encrypt_one(tfm, outval, in->buf);
1834         return 0;
1835 }
1836
1837 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
1838                               u8 *inbuf, u32 inlen,
1839                               u8 *outbuf, u32 outlen)
1840 {
1841         struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;
1842         u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN);
1843         int ret;
1844
1845         if (inbuf) {
1846                 /* Use caller-provided input buffer */
1847                 sg_set_buf(sg_in, inbuf, inlen);
1848         } else {
1849                 /* Use scratchpad for in-place operation */
1850                 inlen = scratchpad_use;
1851                 memset(drbg->outscratchpad, 0, scratchpad_use);
1852                 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);
1853         }
1854
1855         while (outlen) {
1856                 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN);
1857
1858                 /* Output buffer may not be valid for SGL, use scratchpad */
1859                 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out,
1860                                            cryptlen, drbg->V);
1861                 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),
1862                                         &drbg->ctr_wait);
1863                 if (ret)
1864                         goto out;
1865
1866                 crypto_init_wait(&drbg->ctr_wait);
1867
1868                 memcpy(outbuf, drbg->outscratchpad, cryptlen);
1869                 memzero_explicit(drbg->outscratchpad, cryptlen);
1870
1871                 outlen -= cryptlen;
1872                 outbuf += cryptlen;
1873         }
1874         ret = 0;
1875
1876 out:
1877         return ret;
1878 }
1879 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1880
1881 /***************************************************************
1882  * Kernel crypto API interface to register DRBG
1883  ***************************************************************/
1884
1885 /*
1886  * Look up the DRBG flags by given kernel crypto API cra_name
1887  * The code uses the drbg_cores definition to do this
1888  *
1889  * @cra_name kernel crypto API cra_name
1890  * @coreref reference to integer which is filled with the pointer to
1891  *  the applicable core
1892  * @pr reference for setting prediction resistance
1893  *
1894  * return: flags
1895  */
1896 static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1897                                          int *coreref, bool *pr)
1898 {
1899         int i = 0;
1900         size_t start = 0;
1901         int len = 0;
1902
1903         *pr = true;
1904         /* disassemble the names */
1905         if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1906                 start = 10;
1907                 *pr = false;
1908         } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1909                 start = 8;
1910         } else {
1911                 return;
1912         }
1913
1914         /* remove the first part */
1915         len = strlen(cra_driver_name) - start;
1916         for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1917                 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1918                             len)) {
1919                         *coreref = i;
1920                         return;
1921                 }
1922         }
1923 }
1924
1925 static int drbg_kcapi_init(struct crypto_tfm *tfm)
1926 {
1927         struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1928
1929         mutex_init(&drbg->drbg_mutex);
1930
1931         return 0;
1932 }
1933
1934 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1935 {
1936         drbg_uninstantiate(crypto_tfm_ctx(tfm));
1937 }
1938
1939 /*
1940  * Generate random numbers invoked by the kernel crypto API:
1941  * The API of the kernel crypto API is extended as follows:
1942  *
1943  * src is additional input supplied to the RNG.
1944  * slen is the length of src.
1945  * dst is the output buffer where random data is to be stored.
1946  * dlen is the length of dst.
1947  */
1948 static int drbg_kcapi_random(struct crypto_rng *tfm,
1949                              const u8 *src, unsigned int slen,
1950                              u8 *dst, unsigned int dlen)
1951 {
1952         struct drbg_state *drbg = crypto_rng_ctx(tfm);
1953         struct drbg_string *addtl = NULL;
1954         struct drbg_string string;
1955
1956         if (slen) {
1957                 /* linked list variable is now local to allow modification */
1958                 drbg_string_fill(&string, src, slen);
1959                 addtl = &string;
1960         }
1961
1962         return drbg_generate_long(drbg, dst, dlen, addtl);
1963 }
1964
1965 /*
1966  * Seed the DRBG invoked by the kernel crypto API
1967  */
1968 static int drbg_kcapi_seed(struct crypto_rng *tfm,
1969                            const u8 *seed, unsigned int slen)
1970 {
1971         struct drbg_state *drbg = crypto_rng_ctx(tfm);
1972         struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1973         bool pr = false;
1974         struct drbg_string string;
1975         struct drbg_string *seed_string = NULL;
1976         int coreref = 0;
1977
1978         drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1979                               &pr);
1980         if (0 < slen) {
1981                 drbg_string_fill(&string, seed, slen);
1982                 seed_string = &string;
1983         }
1984
1985         return drbg_instantiate(drbg, seed_string, coreref, pr);
1986 }
1987
1988 /***************************************************************
1989  * Kernel module: code to load the module
1990  ***************************************************************/
1991
1992 /*
1993  * Tests as defined in 11.3.2 in addition to the cipher tests: testing
1994  * of the error handling.
1995  *
1996  * Note: testing of failing seed source as defined in 11.3.2 is not applicable
1997  * as seed source of get_random_bytes does not fail.
1998  *
1999  * Note 2: There is no sensible way of testing the reseed counter
2000  * enforcement, so skip it.
2001  */
2002 static inline int __init drbg_healthcheck_sanity(void)
2003 {
2004         int len = 0;
2005 #define OUTBUFLEN 16
2006         unsigned char buf[OUTBUFLEN];
2007         struct drbg_state *drbg = NULL;
2008         int ret;
2009         int rc = -EFAULT;
2010         bool pr = false;
2011         int coreref = 0;
2012         struct drbg_string addtl;
2013         size_t max_addtllen, max_request_bytes;
2014
2015         /* only perform test in FIPS mode */
2016         if (!fips_enabled)
2017                 return 0;
2018
2019 #ifdef CONFIG_CRYPTO_DRBG_CTR
2020         drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
2021 #elif defined CONFIG_CRYPTO_DRBG_HASH
2022         drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
2023 #else
2024         drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
2025 #endif
2026
2027         drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
2028         if (!drbg)
2029                 return -ENOMEM;
2030
2031         mutex_init(&drbg->drbg_mutex);
2032         drbg->core = &drbg_cores[coreref];
2033         drbg->reseed_threshold = drbg_max_requests(drbg);
2034
2035         /*
2036          * if the following tests fail, it is likely that there is a buffer
2037          * overflow as buf is much smaller than the requested or provided
2038          * string lengths -- in case the error handling does not succeed
2039          * we may get an OOPS. And we want to get an OOPS as this is a
2040          * grave bug.
2041          */
2042
2043         max_addtllen = drbg_max_addtl(drbg);
2044         max_request_bytes = drbg_max_request_bytes(drbg);
2045         drbg_string_fill(&addtl, buf, max_addtllen + 1);
2046         /* overflow addtllen with additonal info string */
2047         len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
2048         BUG_ON(0 < len);
2049         /* overflow max_bits */
2050         len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
2051         BUG_ON(0 < len);
2052
2053         /* overflow max addtllen with personalization string */
2054         ret = drbg_seed(drbg, &addtl, false);
2055         BUG_ON(0 == ret);
2056         /* all tests passed */
2057         rc = 0;
2058
2059         pr_devel("DRBG: Sanity tests for failure code paths successfully "
2060                  "completed\n");
2061
2062         kfree(drbg);
2063         return rc;
2064 }
2065
2066 static struct rng_alg drbg_algs[22];
2067
2068 /*
2069  * Fill the array drbg_algs used to register the different DRBGs
2070  * with the kernel crypto API. To fill the array, the information
2071  * from drbg_cores[] is used.
2072  */
2073 static inline void __init drbg_fill_array(struct rng_alg *alg,
2074                                           const struct drbg_core *core, int pr)
2075 {
2076         int pos = 0;
2077         static int priority = 200;
2078
2079         memcpy(alg->base.cra_name, "stdrng", 6);
2080         if (pr) {
2081                 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
2082                 pos = 8;
2083         } else {
2084                 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
2085                 pos = 10;
2086         }
2087         memcpy(alg->base.cra_driver_name + pos, core->cra_name,
2088                strlen(core->cra_name));
2089
2090         alg->base.cra_priority = priority;
2091         priority++;
2092         /*
2093          * If FIPS mode enabled, the selected DRBG shall have the
2094          * highest cra_priority over other stdrng instances to ensure
2095          * it is selected.
2096          */
2097         if (fips_enabled)
2098                 alg->base.cra_priority += 200;
2099
2100         alg->base.cra_ctxsize   = sizeof(struct drbg_state);
2101         alg->base.cra_module    = THIS_MODULE;
2102         alg->base.cra_init      = drbg_kcapi_init;
2103         alg->base.cra_exit      = drbg_kcapi_cleanup;
2104         alg->generate           = drbg_kcapi_random;
2105         alg->seed               = drbg_kcapi_seed;
2106         alg->set_ent            = drbg_kcapi_set_entropy;
2107         alg->seedsize           = 0;
2108 }
2109
2110 static int __init drbg_init(void)
2111 {
2112         unsigned int i = 0; /* pointer to drbg_algs */
2113         unsigned int j = 0; /* pointer to drbg_cores */
2114         int ret;
2115
2116         ret = drbg_healthcheck_sanity();
2117         if (ret)
2118                 return ret;
2119
2120         if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
2121                 pr_info("DRBG: Cannot register all DRBG types"
2122                         "(slots needed: %zu, slots available: %zu)\n",
2123                         ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
2124                 return -EFAULT;
2125         }
2126
2127         /*
2128          * each DRBG definition can be used with PR and without PR, thus
2129          * we instantiate each DRBG in drbg_cores[] twice.
2130          *
2131          * As the order of placing them into the drbg_algs array matters
2132          * (the later DRBGs receive a higher cra_priority) we register the
2133          * prediction resistance DRBGs first as the should not be too
2134          * interesting.
2135          */
2136         for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2137                 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
2138         for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2139                 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
2140         return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2141 }
2142
2143 static void __exit drbg_exit(void)
2144 {
2145         crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2146 }
2147
2148 subsys_initcall(drbg_init);
2149 module_exit(drbg_exit);
2150 #ifndef CRYPTO_DRBG_HASH_STRING
2151 #define CRYPTO_DRBG_HASH_STRING ""
2152 #endif
2153 #ifndef CRYPTO_DRBG_HMAC_STRING
2154 #define CRYPTO_DRBG_HMAC_STRING ""
2155 #endif
2156 #ifndef CRYPTO_DRBG_CTR_STRING
2157 #define CRYPTO_DRBG_CTR_STRING ""
2158 #endif
2159 MODULE_LICENSE("GPL");
2160 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
2161 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
2162                    "using following cores: "
2163                    CRYPTO_DRBG_HASH_STRING
2164                    CRYPTO_DRBG_HMAC_STRING
2165                    CRYPTO_DRBG_CTR_STRING);
2166 MODULE_ALIAS_CRYPTO("stdrng");
2167 MODULE_IMPORT_NS(CRYPTO_INTERNAL);