Commit | Line | Data |
---|---|---|
3e16f959 SM |
1 | /* |
2 | * DRBG based on NIST SP800-90A | |
3 | * | |
4 | * Copyright Stephan Mueller <smueller@chronox.de>, 2014 | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, and the entire permission notice in its entirety, | |
11 | * including the disclaimer of warranties. | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | |
15 | * 3. The name of the author may not be used to endorse or promote | |
16 | * products derived from this software without specific prior | |
17 | * written permission. | |
18 | * | |
19 | * ALTERNATIVELY, this product may be distributed under the terms of | |
20 | * the GNU General Public License, in which case the provisions of the GPL are | |
21 | * required INSTEAD OF the above restrictions. (This clause is | |
22 | * necessary due to a potential bad interaction between the GPL and | |
23 | * the restrictions contained in a BSD-style copyright.) | |
24 | * | |
25 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED | |
26 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
27 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF | |
28 | * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE | |
29 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
30 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT | |
31 | * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | |
32 | * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | |
33 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
34 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE | |
35 | * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH | |
36 | * DAMAGE. | |
37 | */ | |
38 | ||
39 | #ifndef _DRBG_H | |
40 | #define _DRBG_H | |
41 | ||
42 | ||
43 | #include <linux/random.h> | |
44 | #include <linux/scatterlist.h> | |
45 | #include <crypto/hash.h> | |
46 | #include <linux/module.h> | |
47 | #include <linux/crypto.h> | |
48 | #include <linux/slab.h> | |
49 | #include <crypto/internal/rng.h> | |
50 | #include <crypto/rng.h> | |
51 | #include <linux/fips.h> | |
76899a41 | 52 | #include <linux/mutex.h> |
8c987166 | 53 | #include <linux/list.h> |
4c787990 | 54 | #include <linux/workqueue.h> |
3e16f959 SM |
55 | |
56 | /* | |
57 | * Concatenation Helper and string operation helper | |
58 | * | |
59 | * SP800-90A requires the concatenation of different data. To avoid copying | |
60 | * buffers around or allocate additional memory, the following data structure | |
61 | * is used to point to the original memory with its size. In addition, it | |
62 | * is used to build a linked list. The linked list defines the concatenation | |
63 | * of individual buffers. The order of memory block referenced in that | |
64 | * linked list determines the order of concatenation. | |
65 | */ | |
66 | struct drbg_string { | |
67 | const unsigned char *buf; | |
68 | size_t len; | |
8c987166 | 69 | struct list_head list; |
3e16f959 SM |
70 | }; |
71 | ||
72 | static inline void drbg_string_fill(struct drbg_string *string, | |
73 | const unsigned char *buf, size_t len) | |
74 | { | |
75 | string->buf = buf; | |
76 | string->len = len; | |
8c987166 | 77 | INIT_LIST_HEAD(&string->list); |
3e16f959 SM |
78 | } |
79 | ||
80 | struct drbg_state; | |
81 | typedef uint32_t drbg_flag_t; | |
82 | ||
83 | struct drbg_core { | |
84 | drbg_flag_t flags; /* flags for the cipher */ | |
85 | __u8 statelen; /* maximum state length */ | |
3e16f959 SM |
86 | __u8 blocklen_bytes; /* block size of output in bytes */ |
87 | char cra_name[CRYPTO_MAX_ALG_NAME]; /* mapping to kernel crypto API */ | |
88 | /* kernel crypto API backend cipher name */ | |
89 | char backend_cra_name[CRYPTO_MAX_ALG_NAME]; | |
90 | }; | |
91 | ||
92 | struct drbg_state_ops { | |
8c987166 | 93 | int (*update)(struct drbg_state *drbg, struct list_head *seed, |
3e16f959 SM |
94 | int reseed); |
95 | int (*generate)(struct drbg_state *drbg, | |
96 | unsigned char *buf, unsigned int buflen, | |
27e4de2b | 97 | struct list_head *addtl); |
3e16f959 SM |
98 | int (*crypto_init)(struct drbg_state *drbg); |
99 | int (*crypto_fini)(struct drbg_state *drbg); | |
100 | ||
101 | }; | |
102 | ||
103 | struct drbg_test_data { | |
104 | struct drbg_string *testentropy; /* TEST PARAMETER: test entropy */ | |
105 | }; | |
106 | ||
107 | struct drbg_state { | |
76899a41 | 108 | struct mutex drbg_mutex; /* lock around DRBG */ |
3e16f959 SM |
109 | unsigned char *V; /* internal state 10.1.1.1 1a) */ |
110 | /* hash: static value 10.1.1.1 1b) hmac / ctr: key */ | |
111 | unsigned char *C; | |
112 | /* Number of RNG requests since last reseed -- 10.1.1.1 1c) */ | |
113 | size_t reseed_ctr; | |
42ea507f | 114 | size_t reseed_threshold; |
3e16f959 SM |
115 | /* some memory the DRBG can use for its operation */ |
116 | unsigned char *scratchpad; | |
117 | void *priv_data; /* Cipher handle */ | |
118 | bool seeded; /* DRBG fully seeded? */ | |
119 | bool pr; /* Prediction resistance enabled? */ | |
4c787990 | 120 | struct work_struct seed_work; /* asynchronous seeding support */ |
b8ec5ba4 | 121 | struct crypto_rng *jent; |
3e16f959 SM |
122 | const struct drbg_state_ops *d_ops; |
123 | const struct drbg_core *core; | |
8fded592 | 124 | struct drbg_string test_data; |
57225e67 | 125 | struct random_ready_callback random_ready; |
3e16f959 SM |
126 | }; |
127 | ||
128 | static inline __u8 drbg_statelen(struct drbg_state *drbg) | |
129 | { | |
130 | if (drbg && drbg->core) | |
131 | return drbg->core->statelen; | |
132 | return 0; | |
133 | } | |
134 | ||
135 | static inline __u8 drbg_blocklen(struct drbg_state *drbg) | |
136 | { | |
137 | if (drbg && drbg->core) | |
138 | return drbg->core->blocklen_bytes; | |
139 | return 0; | |
140 | } | |
141 | ||
142 | static inline __u8 drbg_keylen(struct drbg_state *drbg) | |
143 | { | |
144 | if (drbg && drbg->core) | |
145 | return (drbg->core->statelen - drbg->core->blocklen_bytes); | |
146 | return 0; | |
147 | } | |
148 | ||
149 | static inline size_t drbg_max_request_bytes(struct drbg_state *drbg) | |
150 | { | |
05c81ccd SM |
151 | /* SP800-90A requires the limit 2**19 bits, but we return bytes */ |
152 | return (1 << 16); | |
3e16f959 SM |
153 | } |
154 | ||
155 | static inline size_t drbg_max_addtl(struct drbg_state *drbg) | |
156 | { | |
05c81ccd | 157 | /* SP800-90A requires 2**35 bytes additional info str / pers str */ |
b9347aff SM |
158 | #if (__BITS_PER_LONG == 32) |
159 | /* | |
160 | * SP800-90A allows smaller maximum numbers to be returned -- we | |
161 | * return SIZE_MAX - 1 to allow the verification of the enforcement | |
162 | * of this value in drbg_healthcheck_sanity. | |
163 | */ | |
164 | return (SIZE_MAX - 1); | |
165 | #else | |
05c81ccd | 166 | return (1UL<<35); |
b9347aff | 167 | #endif |
3e16f959 SM |
168 | } |
169 | ||
170 | static inline size_t drbg_max_requests(struct drbg_state *drbg) | |
171 | { | |
05c81ccd | 172 | /* SP800-90A requires 2**48 maximum requests before reseeding */ |
b9347aff SM |
173 | #if (__BITS_PER_LONG == 32) |
174 | return SIZE_MAX; | |
175 | #else | |
05c81ccd | 176 | return (1UL<<48); |
b9347aff | 177 | #endif |
3e16f959 SM |
178 | } |
179 | ||
3e16f959 SM |
180 | /* |
181 | * This is a wrapper to the kernel crypto API function of | |
8fded592 | 182 | * crypto_rng_generate() to allow the caller to provide additional data. |
3e16f959 SM |
183 | * |
184 | * @drng DRBG handle -- see crypto_rng_get_bytes | |
185 | * @outbuf output buffer -- see crypto_rng_get_bytes | |
186 | * @outlen length of output buffer -- see crypto_rng_get_bytes | |
187 | * @addtl_input additional information string input buffer | |
188 | * @addtllen length of additional information string buffer | |
189 | * | |
190 | * return | |
191 | * see crypto_rng_get_bytes | |
192 | */ | |
193 | static inline int crypto_drbg_get_bytes_addtl(struct crypto_rng *drng, | |
194 | unsigned char *outbuf, unsigned int outlen, | |
195 | struct drbg_string *addtl) | |
196 | { | |
8fded592 HX |
197 | return crypto_rng_generate(drng, addtl->buf, addtl->len, |
198 | outbuf, outlen); | |
3e16f959 SM |
199 | } |
200 | ||
201 | /* | |
202 | * TEST code | |
203 | * | |
204 | * This is a wrapper to the kernel crypto API function of | |
8fded592 | 205 | * crypto_rng_generate() to allow the caller to provide additional data and |
3e16f959 SM |
206 | * allow furnishing of test_data |
207 | * | |
208 | * @drng DRBG handle -- see crypto_rng_get_bytes | |
209 | * @outbuf output buffer -- see crypto_rng_get_bytes | |
210 | * @outlen length of output buffer -- see crypto_rng_get_bytes | |
211 | * @addtl_input additional information string input buffer | |
212 | * @addtllen length of additional information string buffer | |
213 | * @test_data filled test data | |
214 | * | |
215 | * return | |
216 | * see crypto_rng_get_bytes | |
217 | */ | |
218 | static inline int crypto_drbg_get_bytes_addtl_test(struct crypto_rng *drng, | |
219 | unsigned char *outbuf, unsigned int outlen, | |
220 | struct drbg_string *addtl, | |
221 | struct drbg_test_data *test_data) | |
222 | { | |
8fded592 HX |
223 | crypto_rng_set_entropy(drng, test_data->testentropy->buf, |
224 | test_data->testentropy->len); | |
225 | return crypto_rng_generate(drng, addtl->buf, addtl->len, | |
226 | outbuf, outlen); | |
3e16f959 SM |
227 | } |
228 | ||
229 | /* | |
230 | * TEST code | |
231 | * | |
232 | * This is a wrapper to the kernel crypto API function of | |
233 | * crypto_rng_reset() to allow the caller to provide test_data | |
234 | * | |
235 | * @drng DRBG handle -- see crypto_rng_reset | |
236 | * @pers personalization string input buffer | |
237 | * @perslen length of additional information string buffer | |
238 | * @test_data filled test data | |
239 | * | |
240 | * return | |
241 | * see crypto_rng_reset | |
242 | */ | |
243 | static inline int crypto_drbg_reset_test(struct crypto_rng *drng, | |
244 | struct drbg_string *pers, | |
245 | struct drbg_test_data *test_data) | |
246 | { | |
8fded592 HX |
247 | crypto_rng_set_entropy(drng, test_data->testentropy->buf, |
248 | test_data->testentropy->len); | |
249 | return crypto_rng_reset(drng, pers->buf, pers->len); | |
3e16f959 SM |
250 | } |
251 | ||
252 | /* DRBG type flags */ | |
253 | #define DRBG_CTR ((drbg_flag_t)1<<0) | |
254 | #define DRBG_HMAC ((drbg_flag_t)1<<1) | |
255 | #define DRBG_HASH ((drbg_flag_t)1<<2) | |
256 | #define DRBG_TYPE_MASK (DRBG_CTR | DRBG_HMAC | DRBG_HASH) | |
257 | /* DRBG strength flags */ | |
258 | #define DRBG_STRENGTH128 ((drbg_flag_t)1<<3) | |
259 | #define DRBG_STRENGTH192 ((drbg_flag_t)1<<4) | |
260 | #define DRBG_STRENGTH256 ((drbg_flag_t)1<<5) | |
261 | #define DRBG_STRENGTH_MASK (DRBG_STRENGTH128 | DRBG_STRENGTH192 | \ | |
262 | DRBG_STRENGTH256) | |
263 | ||
264 | enum drbg_prefixes { | |
265 | DRBG_PREFIX0 = 0x00, | |
266 | DRBG_PREFIX1, | |
267 | DRBG_PREFIX2, | |
268 | DRBG_PREFIX3 | |
269 | }; | |
270 | ||
271 | #endif /* _DRBG_H */ |