video: rockchip: iep: do not default enable
[firefly-linux-kernel-4.4.55.git] / crypto / drbg.c
1 /*
2  * DRBG: Deterministic Random Bits Generator
3  *       Based on NIST Recommended DRBG from NIST SP800-90A with the following
4  *       properties:
5  *              * CTR DRBG with DF with AES-128, AES-192, AES-256 cores
6  *              * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
7  *              * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
8  *              * with and without prediction resistance
9  *
10  * Copyright Stephan Mueller <smueller@chronox.de>, 2014
11  *
12  * Redistribution and use in source and binary forms, with or without
13  * modification, are permitted provided that the following conditions
14  * are met:
15  * 1. Redistributions of source code must retain the above copyright
16  *    notice, and the entire permission notice in its entirety,
17  *    including the disclaimer of warranties.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  * 3. The name of the author may not be used to endorse or promote
22  *    products derived from this software without specific prior
23  *    written permission.
24  *
25  * ALTERNATIVELY, this product may be distributed under the terms of
26  * the GNU General Public License, in which case the provisions of the GPL are
27  * required INSTEAD OF the above restrictions.  (This clause is
28  * necessary due to a potential bad interaction between the GPL and
29  * the restrictions contained in a BSD-style copyright.)
30  *
31  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
32  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
33  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
34  * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
35  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
36  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
37  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
38  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
39  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
40  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
41  * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
42  * DAMAGE.
43  *
44  * DRBG Usage
45  * ==========
46  * The SP 800-90A DRBG allows the user to specify a personalization string
47  * for initialization as well as an additional information string for each
48  * random number request. The following code fragments show how a caller
49  * uses the kernel crypto API to use the full functionality of the DRBG.
50  *
51  * Usage without any additional data
52  * ---------------------------------
53  * struct crypto_rng *drng;
54  * int err;
55  * char data[DATALEN];
56  *
57  * drng = crypto_alloc_rng(drng_name, 0, 0);
58  * err = crypto_rng_get_bytes(drng, &data, DATALEN);
59  * crypto_free_rng(drng);
60  *
61  *
62  * Usage with personalization string during initialization
63  * -------------------------------------------------------
64  * struct crypto_rng *drng;
65  * int err;
66  * char data[DATALEN];
67  * struct drbg_string pers;
68  * char personalization[11] = "some-string";
69  *
70  * drbg_string_fill(&pers, personalization, strlen(personalization));
71  * drng = crypto_alloc_rng(drng_name, 0, 0);
72  * // The reset completely re-initializes the DRBG with the provided
73  * // personalization string
74  * err = crypto_rng_reset(drng, &personalization, strlen(personalization));
75  * err = crypto_rng_get_bytes(drng, &data, DATALEN);
76  * crypto_free_rng(drng);
77  *
78  *
79  * Usage with additional information string during random number request
80  * ---------------------------------------------------------------------
81  * struct crypto_rng *drng;
82  * int err;
83  * char data[DATALEN];
84  * char addtl_string[11] = "some-string";
85  * string drbg_string addtl;
86  *
87  * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
88  * drng = crypto_alloc_rng(drng_name, 0, 0);
89  * // The following call is a wrapper to crypto_rng_get_bytes() and returns
90  * // the same error codes.
91  * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl);
92  * crypto_free_rng(drng);
93  *
94  *
95  * Usage with personalization and additional information strings
96  * -------------------------------------------------------------
97  * Just mix both scenarios above.
98  */
99
100 #include <crypto/drbg.h>
101 #include <linux/kernel.h>
102
103 /***************************************************************
104  * Backend cipher definitions available to DRBG
105  ***************************************************************/
106
107 /*
108  * The order of the DRBG definitions here matter: every DRBG is registered
109  * as stdrng. Each DRBG receives an increasing cra_priority values the later
110  * they are defined in this array (see drbg_fill_array).
111  *
112  * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and
113  * the SHA256 / AES 256 over other ciphers. Thus, the favored
114  * DRBGs are the latest entries in this array.
115  */
116 static const struct drbg_core drbg_cores[] = {
117 #ifdef CONFIG_CRYPTO_DRBG_CTR
118         {
119                 .flags = DRBG_CTR | DRBG_STRENGTH128,
120                 .statelen = 32, /* 256 bits as defined in 10.2.1 */
121                 .blocklen_bytes = 16,
122                 .cra_name = "ctr_aes128",
123                 .backend_cra_name = "aes",
124         }, {
125                 .flags = DRBG_CTR | DRBG_STRENGTH192,
126                 .statelen = 40, /* 320 bits as defined in 10.2.1 */
127                 .blocklen_bytes = 16,
128                 .cra_name = "ctr_aes192",
129                 .backend_cra_name = "aes",
130         }, {
131                 .flags = DRBG_CTR | DRBG_STRENGTH256,
132                 .statelen = 48, /* 384 bits as defined in 10.2.1 */
133                 .blocklen_bytes = 16,
134                 .cra_name = "ctr_aes256",
135                 .backend_cra_name = "aes",
136         },
137 #endif /* CONFIG_CRYPTO_DRBG_CTR */
138 #ifdef CONFIG_CRYPTO_DRBG_HASH
139         {
140                 .flags = DRBG_HASH | DRBG_STRENGTH128,
141                 .statelen = 55, /* 440 bits */
142                 .blocklen_bytes = 20,
143                 .cra_name = "sha1",
144                 .backend_cra_name = "sha1",
145         }, {
146                 .flags = DRBG_HASH | DRBG_STRENGTH256,
147                 .statelen = 111, /* 888 bits */
148                 .blocklen_bytes = 48,
149                 .cra_name = "sha384",
150                 .backend_cra_name = "sha384",
151         }, {
152                 .flags = DRBG_HASH | DRBG_STRENGTH256,
153                 .statelen = 111, /* 888 bits */
154                 .blocklen_bytes = 64,
155                 .cra_name = "sha512",
156                 .backend_cra_name = "sha512",
157         }, {
158                 .flags = DRBG_HASH | DRBG_STRENGTH256,
159                 .statelen = 55, /* 440 bits */
160                 .blocklen_bytes = 32,
161                 .cra_name = "sha256",
162                 .backend_cra_name = "sha256",
163         },
164 #endif /* CONFIG_CRYPTO_DRBG_HASH */
165 #ifdef CONFIG_CRYPTO_DRBG_HMAC
166         {
167                 .flags = DRBG_HMAC | DRBG_STRENGTH128,
168                 .statelen = 20, /* block length of cipher */
169                 .blocklen_bytes = 20,
170                 .cra_name = "hmac_sha1",
171                 .backend_cra_name = "hmac(sha1)",
172         }, {
173                 .flags = DRBG_HMAC | DRBG_STRENGTH256,
174                 .statelen = 48, /* block length of cipher */
175                 .blocklen_bytes = 48,
176                 .cra_name = "hmac_sha384",
177                 .backend_cra_name = "hmac(sha384)",
178         }, {
179                 .flags = DRBG_HMAC | DRBG_STRENGTH256,
180                 .statelen = 64, /* block length of cipher */
181                 .blocklen_bytes = 64,
182                 .cra_name = "hmac_sha512",
183                 .backend_cra_name = "hmac(sha512)",
184         }, {
185                 .flags = DRBG_HMAC | DRBG_STRENGTH256,
186                 .statelen = 32, /* block length of cipher */
187                 .blocklen_bytes = 32,
188                 .cra_name = "hmac_sha256",
189                 .backend_cra_name = "hmac(sha256)",
190         },
191 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
192 };
193
194 static int drbg_uninstantiate(struct drbg_state *drbg);
195
196 /******************************************************************
197  * Generic helper functions
198  ******************************************************************/
199
200 /*
201  * Return strength of DRBG according to SP800-90A section 8.4
202  *
203  * @flags DRBG flags reference
204  *
205  * Return: normalized strength in *bytes* value or 32 as default
206  *         to counter programming errors
207  */
208 static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
209 {
210         switch (flags & DRBG_STRENGTH_MASK) {
211         case DRBG_STRENGTH128:
212                 return 16;
213         case DRBG_STRENGTH192:
214                 return 24;
215         case DRBG_STRENGTH256:
216                 return 32;
217         default:
218                 return 32;
219         }
220 }
221
222 /*
223  * FIPS 140-2 continuous self test
224  * The test is performed on the result of one round of the output
225  * function. Thus, the function implicitly knows the size of the
226  * buffer.
227  *
228  * @drbg DRBG handle
229  * @buf output buffer of random data to be checked
230  *
231  * return:
232  *      true on success
233  *      false on error
234  */
235 static bool drbg_fips_continuous_test(struct drbg_state *drbg,
236                                       const unsigned char *buf)
237 {
238 #ifdef CONFIG_CRYPTO_FIPS
239         int ret = 0;
240         /* skip test if we test the overall system */
241         if (list_empty(&drbg->test_data.list))
242                 return true;
243         /* only perform test in FIPS mode */
244         if (0 == fips_enabled)
245                 return true;
246         if (!drbg->fips_primed) {
247                 /* Priming of FIPS test */
248                 memcpy(drbg->prev, buf, drbg_blocklen(drbg));
249                 drbg->fips_primed = true;
250                 /* return false due to priming, i.e. another round is needed */
251                 return false;
252         }
253         ret = memcmp(drbg->prev, buf, drbg_blocklen(drbg));
254         if (!ret)
255                 panic("DRBG continuous self test failed\n");
256         memcpy(drbg->prev, buf, drbg_blocklen(drbg));
257         /* the test shall pass when the two compared values are not equal */
258         return ret != 0;
259 #else
260         return true;
261 #endif /* CONFIG_CRYPTO_FIPS */
262 }
263
264 /*
265  * Convert an integer into a byte representation of this integer.
266  * The byte representation is big-endian
267  *
268  * @val value to be converted
269  * @buf buffer holding the converted integer -- caller must ensure that
270  *      buffer size is at least 32 bit
271  */
272 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR))
273 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf)
274 {
275         struct s {
276                 __be32 conv;
277         };
278         struct s *conversion = (struct s *) buf;
279
280         conversion->conv = cpu_to_be32(val);
281 }
282 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */
283
284 /******************************************************************
285  * CTR DRBG callback functions
286  ******************************************************************/
287
288 #ifdef CONFIG_CRYPTO_DRBG_CTR
289 #define CRYPTO_DRBG_CTR_STRING "CTR "
290 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
291 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
292 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
293 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
294 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
295 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
296
297 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key,
298                           unsigned char *outval, const struct drbg_string *in);
299 static int drbg_init_sym_kernel(struct drbg_state *drbg);
300 static int drbg_fini_sym_kernel(struct drbg_state *drbg);
301
302 /* BCC function for CTR DRBG as defined in 10.4.3 */
303 static int drbg_ctr_bcc(struct drbg_state *drbg,
304                         unsigned char *out, const unsigned char *key,
305                         struct list_head *in)
306 {
307         int ret = 0;
308         struct drbg_string *curr = NULL;
309         struct drbg_string data;
310         short cnt = 0;
311
312         drbg_string_fill(&data, out, drbg_blocklen(drbg));
313
314         /* 10.4.3 step 2 / 4 */
315         list_for_each_entry(curr, in, list) {
316                 const unsigned char *pos = curr->buf;
317                 size_t len = curr->len;
318                 /* 10.4.3 step 4.1 */
319                 while (len) {
320                         /* 10.4.3 step 4.2 */
321                         if (drbg_blocklen(drbg) == cnt) {
322                                 cnt = 0;
323                                 ret = drbg_kcapi_sym(drbg, key, out, &data);
324                                 if (ret)
325                                         return ret;
326                         }
327                         out[cnt] ^= *pos;
328                         pos++;
329                         cnt++;
330                         len--;
331                 }
332         }
333         /* 10.4.3 step 4.2 for last block */
334         if (cnt)
335                 ret = drbg_kcapi_sym(drbg, key, out, &data);
336
337         return ret;
338 }
339
340 /*
341  * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df
342  * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
343  * the scratchpad is used as follows:
344  * drbg_ctr_update:
345  *      temp
346  *              start: drbg->scratchpad
347  *              length: drbg_statelen(drbg) + drbg_blocklen(drbg)
348  *                      note: the cipher writing into this variable works
349  *                      blocklen-wise. Now, when the statelen is not a multiple
350  *                      of blocklen, the generateion loop below "spills over"
351  *                      by at most blocklen. Thus, we need to give sufficient
352  *                      memory.
353  *      df_data
354  *              start: drbg->scratchpad +
355  *                              drbg_statelen(drbg) + drbg_blocklen(drbg)
356  *              length: drbg_statelen(drbg)
357  *
358  * drbg_ctr_df:
359  *      pad
360  *              start: df_data + drbg_statelen(drbg)
361  *              length: drbg_blocklen(drbg)
362  *      iv
363  *              start: pad + drbg_blocklen(drbg)
364  *              length: drbg_blocklen(drbg)
365  *      temp
366  *              start: iv + drbg_blocklen(drbg)
367  *              length: drbg_satelen(drbg) + drbg_blocklen(drbg)
368  *                      note: temp is the buffer that the BCC function operates
369  *                      on. BCC operates blockwise. drbg_statelen(drbg)
370  *                      is sufficient when the DRBG state length is a multiple
371  *                      of the block size. For AES192 (and maybe other ciphers)
372  *                      this is not correct and the length for temp is
373  *                      insufficient (yes, that also means for such ciphers,
374  *                      the final output of all BCC rounds are truncated).
375  *                      Therefore, add drbg_blocklen(drbg) to cover all
376  *                      possibilities.
377  */
378
379 /* Derivation Function for CTR DRBG as defined in 10.4.2 */
380 static int drbg_ctr_df(struct drbg_state *drbg,
381                        unsigned char *df_data, size_t bytes_to_return,
382                        struct list_head *seedlist)
383 {
384         int ret = -EFAULT;
385         unsigned char L_N[8];
386         /* S3 is input */
387         struct drbg_string S1, S2, S4, cipherin;
388         LIST_HEAD(bcc_list);
389         unsigned char *pad = df_data + drbg_statelen(drbg);
390         unsigned char *iv = pad + drbg_blocklen(drbg);
391         unsigned char *temp = iv + drbg_blocklen(drbg);
392         size_t padlen = 0;
393         unsigned int templen = 0;
394         /* 10.4.2 step 7 */
395         unsigned int i = 0;
396         /* 10.4.2 step 8 */
397         const unsigned char *K = (unsigned char *)
398                            "\x00\x01\x02\x03\x04\x05\x06\x07"
399                            "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
400                            "\x10\x11\x12\x13\x14\x15\x16\x17"
401                            "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
402         unsigned char *X;
403         size_t generated_len = 0;
404         size_t inputlen = 0;
405         struct drbg_string *seed = NULL;
406
407         memset(pad, 0, drbg_blocklen(drbg));
408         memset(iv, 0, drbg_blocklen(drbg));
409
410         /* 10.4.2 step 1 is implicit as we work byte-wise */
411
412         /* 10.4.2 step 2 */
413         if ((512/8) < bytes_to_return)
414                 return -EINVAL;
415
416         /* 10.4.2 step 2 -- calculate the entire length of all input data */
417         list_for_each_entry(seed, seedlist, list)
418                 inputlen += seed->len;
419         drbg_cpu_to_be32(inputlen, &L_N[0]);
420
421         /* 10.4.2 step 3 */
422         drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
423
424         /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */
425         padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
426         /* wrap the padlen appropriately */
427         if (padlen)
428                 padlen = drbg_blocklen(drbg) - padlen;
429         /*
430          * pad / padlen contains the 0x80 byte and the following zero bytes.
431          * As the calculated padlen value only covers the number of zero
432          * bytes, this value has to be incremented by one for the 0x80 byte.
433          */
434         padlen++;
435         pad[0] = 0x80;
436
437         /* 10.4.2 step 4 -- first fill the linked list and then order it */
438         drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
439         list_add_tail(&S1.list, &bcc_list);
440         drbg_string_fill(&S2, L_N, sizeof(L_N));
441         list_add_tail(&S2.list, &bcc_list);
442         list_splice_tail(seedlist, &bcc_list);
443         drbg_string_fill(&S4, pad, padlen);
444         list_add_tail(&S4.list, &bcc_list);
445
446         /* 10.4.2 step 9 */
447         while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
448                 /*
449                  * 10.4.2 step 9.1 - the padding is implicit as the buffer
450                  * holds zeros after allocation -- even the increment of i
451                  * is irrelevant as the increment remains within length of i
452                  */
453                 drbg_cpu_to_be32(i, iv);
454                 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */
455                 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
456                 if (ret)
457                         goto out;
458                 /* 10.4.2 step 9.3 */
459                 i++;
460                 templen += drbg_blocklen(drbg);
461         }
462
463         /* 10.4.2 step 11 */
464         X = temp + (drbg_keylen(drbg));
465         drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
466
467         /* 10.4.2 step 12: overwriting of outval is implemented in next step */
468
469         /* 10.4.2 step 13 */
470         while (generated_len < bytes_to_return) {
471                 short blocklen = 0;
472                 /*
473                  * 10.4.2 step 13.1: the truncation of the key length is
474                  * implicit as the key is only drbg_blocklen in size based on
475                  * the implementation of the cipher function callback
476                  */
477                 ret = drbg_kcapi_sym(drbg, temp, X, &cipherin);
478                 if (ret)
479                         goto out;
480                 blocklen = (drbg_blocklen(drbg) <
481                                 (bytes_to_return - generated_len)) ?
482                             drbg_blocklen(drbg) :
483                                 (bytes_to_return - generated_len);
484                 /* 10.4.2 step 13.2 and 14 */
485                 memcpy(df_data + generated_len, X, blocklen);
486                 generated_len += blocklen;
487         }
488
489         ret = 0;
490
491 out:
492         memset(iv, 0, drbg_blocklen(drbg));
493         memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
494         memset(pad, 0, drbg_blocklen(drbg));
495         return ret;
496 }
497
498 /*
499  * update function of CTR DRBG as defined in 10.2.1.2
500  *
501  * The reseed variable has an enhanced meaning compared to the update
502  * functions of the other DRBGs as follows:
503  * 0 => initial seed from initialization
504  * 1 => reseed via drbg_seed
505  * 2 => first invocation from drbg_ctr_update when addtl is present. In
506  *      this case, the df_data scratchpad is not deleted so that it is
507  *      available for another calls to prevent calling the DF function
508  *      again.
509  * 3 => second invocation from drbg_ctr_update. When the update function
510  *      was called with addtl, the df_data memory already contains the
511  *      DFed addtl information and we do not need to call DF again.
512  */
513 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
514                            int reseed)
515 {
516         int ret = -EFAULT;
517         /* 10.2.1.2 step 1 */
518         unsigned char *temp = drbg->scratchpad;
519         unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
520                                  drbg_blocklen(drbg);
521         unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */
522         unsigned int len = 0;
523         struct drbg_string cipherin;
524
525         if (3 > reseed)
526                 memset(df_data, 0, drbg_statelen(drbg));
527
528         /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
529         if (seed) {
530                 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
531                 if (ret)
532                         goto out;
533         }
534
535         drbg_string_fill(&cipherin, drbg->V, drbg_blocklen(drbg));
536         /*
537          * 10.2.1.3.2 steps 2 and 3 are already covered as the allocation
538          * zeroizes all memory during initialization
539          */
540         while (len < (drbg_statelen(drbg))) {
541                 /* 10.2.1.2 step 2.1 */
542                 crypto_inc(drbg->V, drbg_blocklen(drbg));
543                 /*
544                  * 10.2.1.2 step 2.2 */
545                 ret = drbg_kcapi_sym(drbg, drbg->C, temp + len, &cipherin);
546                 if (ret)
547                         goto out;
548                 /* 10.2.1.2 step 2.3 and 3 */
549                 len += drbg_blocklen(drbg);
550         }
551
552         /* 10.2.1.2 step 4 */
553         temp_p = temp;
554         df_data_p = df_data;
555         for (len = 0; len < drbg_statelen(drbg); len++) {
556                 *temp_p ^= *df_data_p;
557                 df_data_p++; temp_p++;
558         }
559
560         /* 10.2.1.2 step 5 */
561         memcpy(drbg->C, temp, drbg_keylen(drbg));
562         /* 10.2.1.2 step 6 */
563         memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
564         ret = 0;
565
566 out:
567         memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
568         if (2 != reseed)
569                 memset(df_data, 0, drbg_statelen(drbg));
570         return ret;
571 }
572
573 /*
574  * scratchpad use: drbg_ctr_update is called independently from
575  * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
576  */
577 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
578 static int drbg_ctr_generate(struct drbg_state *drbg,
579                              unsigned char *buf, unsigned int buflen,
580                              struct list_head *addtl)
581 {
582         int len = 0;
583         int ret = 0;
584         struct drbg_string data;
585
586         /* 10.2.1.5.2 step 2 */
587         if (addtl && !list_empty(addtl)) {
588                 ret = drbg_ctr_update(drbg, addtl, 2);
589                 if (ret)
590                         return 0;
591         }
592
593         /* 10.2.1.5.2 step 4.1 */
594         crypto_inc(drbg->V, drbg_blocklen(drbg));
595         drbg_string_fill(&data, drbg->V, drbg_blocklen(drbg));
596         while (len < buflen) {
597                 int outlen = 0;
598                 /* 10.2.1.5.2 step 4.2 */
599                 ret = drbg_kcapi_sym(drbg, drbg->C, drbg->scratchpad, &data);
600                 if (ret) {
601                         len = ret;
602                         goto out;
603                 }
604                 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
605                           drbg_blocklen(drbg) : (buflen - len);
606                 if (!drbg_fips_continuous_test(drbg, drbg->scratchpad)) {
607                         /* 10.2.1.5.2 step 6 */
608                         crypto_inc(drbg->V, drbg_blocklen(drbg));
609                         continue;
610                 }
611                 /* 10.2.1.5.2 step 4.3 */
612                 memcpy(buf + len, drbg->scratchpad, outlen);
613                 len += outlen;
614                 /* 10.2.1.5.2 step 6 */
615                 if (len < buflen)
616                         crypto_inc(drbg->V, drbg_blocklen(drbg));
617         }
618
619         /* 10.2.1.5.2 step 6 */
620         ret = drbg_ctr_update(drbg, NULL, 3);
621         if (ret)
622                 len = ret;
623
624 out:
625         memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
626         return len;
627 }
628
629 static struct drbg_state_ops drbg_ctr_ops = {
630         .update         = drbg_ctr_update,
631         .generate       = drbg_ctr_generate,
632         .crypto_init    = drbg_init_sym_kernel,
633         .crypto_fini    = drbg_fini_sym_kernel,
634 };
635 #endif /* CONFIG_CRYPTO_DRBG_CTR */
636
637 /******************************************************************
638  * HMAC DRBG callback functions
639  ******************************************************************/
640
641 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
642 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key,
643                            unsigned char *outval, const struct list_head *in);
644 static int drbg_init_hash_kernel(struct drbg_state *drbg);
645 static int drbg_fini_hash_kernel(struct drbg_state *drbg);
646 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
647
648 #ifdef CONFIG_CRYPTO_DRBG_HMAC
649 #define CRYPTO_DRBG_HMAC_STRING "HMAC "
650 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
651 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
652 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
653 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
654 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
655 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
656 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1");
657 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1");
658
659 /* update function of HMAC DRBG as defined in 10.1.2.2 */
660 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
661                             int reseed)
662 {
663         int ret = -EFAULT;
664         int i = 0;
665         struct drbg_string seed1, seed2, vdata;
666         LIST_HEAD(seedlist);
667         LIST_HEAD(vdatalist);
668
669         if (!reseed)
670                 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */
671                 memset(drbg->V, 1, drbg_statelen(drbg));
672
673         drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
674         list_add_tail(&seed1.list, &seedlist);
675         /* buffer of seed2 will be filled in for loop below with one byte */
676         drbg_string_fill(&seed2, NULL, 1);
677         list_add_tail(&seed2.list, &seedlist);
678         /* input data of seed is allowed to be NULL at this point */
679         if (seed)
680                 list_splice_tail(seed, &seedlist);
681
682         drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
683         list_add_tail(&vdata.list, &vdatalist);
684         for (i = 2; 0 < i; i--) {
685                 /* first round uses 0x0, second 0x1 */
686                 unsigned char prefix = DRBG_PREFIX0;
687                 if (1 == i)
688                         prefix = DRBG_PREFIX1;
689                 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
690                 seed2.buf = &prefix;
691                 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->C, &seedlist);
692                 if (ret)
693                         return ret;
694
695                 /* 10.1.2.2 step 2 and 5 -- HMAC for V */
696                 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &vdatalist);
697                 if (ret)
698                         return ret;
699
700                 /* 10.1.2.2 step 3 */
701                 if (!seed)
702                         return ret;
703         }
704
705         return 0;
706 }
707
708 /* generate function of HMAC DRBG as defined in 10.1.2.5 */
709 static int drbg_hmac_generate(struct drbg_state *drbg,
710                               unsigned char *buf,
711                               unsigned int buflen,
712                               struct list_head *addtl)
713 {
714         int len = 0;
715         int ret = 0;
716         struct drbg_string data;
717         LIST_HEAD(datalist);
718
719         /* 10.1.2.5 step 2 */
720         if (addtl && !list_empty(addtl)) {
721                 ret = drbg_hmac_update(drbg, addtl, 1);
722                 if (ret)
723                         return ret;
724         }
725
726         drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
727         list_add_tail(&data.list, &datalist);
728         while (len < buflen) {
729                 unsigned int outlen = 0;
730                 /* 10.1.2.5 step 4.1 */
731                 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &datalist);
732                 if (ret)
733                         return ret;
734                 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
735                           drbg_blocklen(drbg) : (buflen - len);
736                 if (!drbg_fips_continuous_test(drbg, drbg->V))
737                         continue;
738
739                 /* 10.1.2.5 step 4.2 */
740                 memcpy(buf + len, drbg->V, outlen);
741                 len += outlen;
742         }
743
744         /* 10.1.2.5 step 6 */
745         if (addtl && !list_empty(addtl))
746                 ret = drbg_hmac_update(drbg, addtl, 1);
747         else
748                 ret = drbg_hmac_update(drbg, NULL, 1);
749         if (ret)
750                 return ret;
751
752         return len;
753 }
754
755 static struct drbg_state_ops drbg_hmac_ops = {
756         .update         = drbg_hmac_update,
757         .generate       = drbg_hmac_generate,
758         .crypto_init    = drbg_init_hash_kernel,
759         .crypto_fini    = drbg_fini_hash_kernel,
760 };
761 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
762
763 /******************************************************************
764  * Hash DRBG callback functions
765  ******************************************************************/
766
767 #ifdef CONFIG_CRYPTO_DRBG_HASH
768 #define CRYPTO_DRBG_HASH_STRING "HASH "
769 MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
770 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
771 MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
772 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
773 MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
774 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
775 MODULE_ALIAS_CRYPTO("drbg_pr_sha1");
776 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1");
777
778 /*
779  * Increment buffer
780  *
781  * @dst buffer to increment
782  * @add value to add
783  */
784 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
785                                 const unsigned char *add, size_t addlen)
786 {
787         /* implied: dstlen > addlen */
788         unsigned char *dstptr;
789         const unsigned char *addptr;
790         unsigned int remainder = 0;
791         size_t len = addlen;
792
793         dstptr = dst + (dstlen-1);
794         addptr = add + (addlen-1);
795         while (len) {
796                 remainder += *dstptr + *addptr;
797                 *dstptr = remainder & 0xff;
798                 remainder >>= 8;
799                 len--; dstptr--; addptr--;
800         }
801         len = dstlen - addlen;
802         while (len && remainder > 0) {
803                 remainder = *dstptr + 1;
804                 *dstptr = remainder & 0xff;
805                 remainder >>= 8;
806                 len--; dstptr--;
807         }
808 }
809
810 /*
811  * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
812  * interlinked, the scratchpad is used as follows:
813  * drbg_hash_update
814  *      start: drbg->scratchpad
815  *      length: drbg_statelen(drbg)
816  * drbg_hash_df:
817  *      start: drbg->scratchpad + drbg_statelen(drbg)
818  *      length: drbg_blocklen(drbg)
819  *
820  * drbg_hash_process_addtl uses the scratchpad, but fully completes
821  * before either of the functions mentioned before are invoked. Therefore,
822  * drbg_hash_process_addtl does not need to be specifically considered.
823  */
824
825 /* Derivation Function for Hash DRBG as defined in 10.4.1 */
826 static int drbg_hash_df(struct drbg_state *drbg,
827                         unsigned char *outval, size_t outlen,
828                         struct list_head *entropylist)
829 {
830         int ret = 0;
831         size_t len = 0;
832         unsigned char input[5];
833         unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
834         struct drbg_string data;
835
836         /* 10.4.1 step 3 */
837         input[0] = 1;
838         drbg_cpu_to_be32((outlen * 8), &input[1]);
839
840         /* 10.4.1 step 4.1 -- concatenation of data for input into hash */
841         drbg_string_fill(&data, input, 5);
842         list_add(&data.list, entropylist);
843
844         /* 10.4.1 step 4 */
845         while (len < outlen) {
846                 short blocklen = 0;
847                 /* 10.4.1 step 4.1 */
848                 ret = drbg_kcapi_hash(drbg, NULL, tmp, entropylist);
849                 if (ret)
850                         goto out;
851                 /* 10.4.1 step 4.2 */
852                 input[0]++;
853                 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
854                             drbg_blocklen(drbg) : (outlen - len);
855                 memcpy(outval + len, tmp, blocklen);
856                 len += blocklen;
857         }
858
859 out:
860         memset(tmp, 0, drbg_blocklen(drbg));
861         return ret;
862 }
863
864 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
865 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
866                             int reseed)
867 {
868         int ret = 0;
869         struct drbg_string data1, data2;
870         LIST_HEAD(datalist);
871         LIST_HEAD(datalist2);
872         unsigned char *V = drbg->scratchpad;
873         unsigned char prefix = DRBG_PREFIX1;
874
875         if (!seed)
876                 return -EINVAL;
877
878         if (reseed) {
879                 /* 10.1.1.3 step 1 */
880                 memcpy(V, drbg->V, drbg_statelen(drbg));
881                 drbg_string_fill(&data1, &prefix, 1);
882                 list_add_tail(&data1.list, &datalist);
883                 drbg_string_fill(&data2, V, drbg_statelen(drbg));
884                 list_add_tail(&data2.list, &datalist);
885         }
886         list_splice_tail(seed, &datalist);
887
888         /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
889         ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
890         if (ret)
891                 goto out;
892
893         /* 10.1.1.2 / 10.1.1.3 step 4  */
894         prefix = DRBG_PREFIX0;
895         drbg_string_fill(&data1, &prefix, 1);
896         list_add_tail(&data1.list, &datalist2);
897         drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
898         list_add_tail(&data2.list, &datalist2);
899         /* 10.1.1.2 / 10.1.1.3 step 4 */
900         ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
901
902 out:
903         memset(drbg->scratchpad, 0, drbg_statelen(drbg));
904         return ret;
905 }
906
907 /* processing of additional information string for Hash DRBG */
908 static int drbg_hash_process_addtl(struct drbg_state *drbg,
909                                    struct list_head *addtl)
910 {
911         int ret = 0;
912         struct drbg_string data1, data2;
913         LIST_HEAD(datalist);
914         unsigned char prefix = DRBG_PREFIX2;
915
916         /* 10.1.1.4 step 2 */
917         if (!addtl || list_empty(addtl))
918                 return 0;
919
920         /* 10.1.1.4 step 2a */
921         drbg_string_fill(&data1, &prefix, 1);
922         drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
923         list_add_tail(&data1.list, &datalist);
924         list_add_tail(&data2.list, &datalist);
925         list_splice_tail(addtl, &datalist);
926         ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist);
927         if (ret)
928                 goto out;
929
930         /* 10.1.1.4 step 2b */
931         drbg_add_buf(drbg->V, drbg_statelen(drbg),
932                      drbg->scratchpad, drbg_blocklen(drbg));
933
934 out:
935         memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
936         return ret;
937 }
938
939 /* Hashgen defined in 10.1.1.4 */
940 static int drbg_hash_hashgen(struct drbg_state *drbg,
941                              unsigned char *buf,
942                              unsigned int buflen)
943 {
944         int len = 0;
945         int ret = 0;
946         unsigned char *src = drbg->scratchpad;
947         unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
948         struct drbg_string data;
949         LIST_HEAD(datalist);
950
951         /* 10.1.1.4 step hashgen 2 */
952         memcpy(src, drbg->V, drbg_statelen(drbg));
953
954         drbg_string_fill(&data, src, drbg_statelen(drbg));
955         list_add_tail(&data.list, &datalist);
956         while (len < buflen) {
957                 unsigned int outlen = 0;
958                 /* 10.1.1.4 step hashgen 4.1 */
959                 ret = drbg_kcapi_hash(drbg, NULL, dst, &datalist);
960                 if (ret) {
961                         len = ret;
962                         goto out;
963                 }
964                 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
965                           drbg_blocklen(drbg) : (buflen - len);
966                 if (!drbg_fips_continuous_test(drbg, dst)) {
967                         crypto_inc(src, drbg_statelen(drbg));
968                         continue;
969                 }
970                 /* 10.1.1.4 step hashgen 4.2 */
971                 memcpy(buf + len, dst, outlen);
972                 len += outlen;
973                 /* 10.1.1.4 hashgen step 4.3 */
974                 if (len < buflen)
975                         crypto_inc(src, drbg_statelen(drbg));
976         }
977
978 out:
979         memset(drbg->scratchpad, 0,
980                (drbg_statelen(drbg) + drbg_blocklen(drbg)));
981         return len;
982 }
983
984 /* generate function for Hash DRBG as defined in  10.1.1.4 */
985 static int drbg_hash_generate(struct drbg_state *drbg,
986                               unsigned char *buf, unsigned int buflen,
987                               struct list_head *addtl)
988 {
989         int len = 0;
990         int ret = 0;
991         union {
992                 unsigned char req[8];
993                 __be64 req_int;
994         } u;
995         unsigned char prefix = DRBG_PREFIX3;
996         struct drbg_string data1, data2;
997         LIST_HEAD(datalist);
998
999         /* 10.1.1.4 step 2 */
1000         ret = drbg_hash_process_addtl(drbg, addtl);
1001         if (ret)
1002                 return ret;
1003         /* 10.1.1.4 step 3 */
1004         len = drbg_hash_hashgen(drbg, buf, buflen);
1005
1006         /* this is the value H as documented in 10.1.1.4 */
1007         /* 10.1.1.4 step 4 */
1008         drbg_string_fill(&data1, &prefix, 1);
1009         list_add_tail(&data1.list, &datalist);
1010         drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
1011         list_add_tail(&data2.list, &datalist);
1012         ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist);
1013         if (ret) {
1014                 len = ret;
1015                 goto out;
1016         }
1017
1018         /* 10.1.1.4 step 5 */
1019         drbg_add_buf(drbg->V, drbg_statelen(drbg),
1020                      drbg->scratchpad, drbg_blocklen(drbg));
1021         drbg_add_buf(drbg->V, drbg_statelen(drbg),
1022                      drbg->C, drbg_statelen(drbg));
1023         u.req_int = cpu_to_be64(drbg->reseed_ctr);
1024         drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
1025
1026 out:
1027         memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
1028         return len;
1029 }
1030
1031 /*
1032  * scratchpad usage: as update and generate are used isolated, both
1033  * can use the scratchpad
1034  */
1035 static struct drbg_state_ops drbg_hash_ops = {
1036         .update         = drbg_hash_update,
1037         .generate       = drbg_hash_generate,
1038         .crypto_init    = drbg_init_hash_kernel,
1039         .crypto_fini    = drbg_fini_hash_kernel,
1040 };
1041 #endif /* CONFIG_CRYPTO_DRBG_HASH */
1042
1043 /******************************************************************
1044  * Functions common for DRBG implementations
1045  ******************************************************************/
1046
1047 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
1048                               int reseed)
1049 {
1050         int ret = drbg->d_ops->update(drbg, seed, reseed);
1051
1052         if (ret)
1053                 return ret;
1054
1055         drbg->seeded = true;
1056         /* 10.1.1.2 / 10.1.1.3 step 5 */
1057         drbg->reseed_ctr = 1;
1058
1059         return ret;
1060 }
1061
1062 static void drbg_async_seed(struct work_struct *work)
1063 {
1064         struct drbg_string data;
1065         LIST_HEAD(seedlist);
1066         struct drbg_state *drbg = container_of(work, struct drbg_state,
1067                                                seed_work);
1068         unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1069         unsigned char entropy[32];
1070
1071         BUG_ON(!entropylen);
1072         BUG_ON(entropylen > sizeof(entropy));
1073         get_random_bytes(entropy, entropylen);
1074
1075         drbg_string_fill(&data, entropy, entropylen);
1076         list_add_tail(&data.list, &seedlist);
1077
1078         mutex_lock(&drbg->drbg_mutex);
1079
1080         /* If nonblocking pool is initialized, deactivate Jitter RNG */
1081         crypto_free_rng(drbg->jent);
1082         drbg->jent = NULL;
1083
1084         /* Set seeded to false so that if __drbg_seed fails the
1085          * next generate call will trigger a reseed.
1086          */
1087         drbg->seeded = false;
1088
1089         __drbg_seed(drbg, &seedlist, true);
1090
1091         if (drbg->seeded)
1092                 drbg->reseed_threshold = drbg_max_requests(drbg);
1093
1094         mutex_unlock(&drbg->drbg_mutex);
1095
1096         memzero_explicit(entropy, entropylen);
1097 }
1098
1099 /*
1100  * Seeding or reseeding of the DRBG
1101  *
1102  * @drbg: DRBG state struct
1103  * @pers: personalization / additional information buffer
1104  * @reseed: 0 for initial seed process, 1 for reseeding
1105  *
1106  * return:
1107  *      0 on success
1108  *      error value otherwise
1109  */
1110 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1111                      bool reseed)
1112 {
1113         int ret;
1114         unsigned char entropy[((32 + 16) * 2)];
1115         unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1116         struct drbg_string data1;
1117         LIST_HEAD(seedlist);
1118
1119         /* 9.1 / 9.2 / 9.3.1 step 3 */
1120         if (pers && pers->len > (drbg_max_addtl(drbg))) {
1121                 pr_devel("DRBG: personalization string too long %zu\n",
1122                          pers->len);
1123                 return -EINVAL;
1124         }
1125
1126         if (list_empty(&drbg->test_data.list)) {
1127                 drbg_string_fill(&data1, drbg->test_data.buf,
1128                                  drbg->test_data.len);
1129                 pr_devel("DRBG: using test entropy\n");
1130         } else {
1131                 /*
1132                  * Gather entropy equal to the security strength of the DRBG.
1133                  * With a derivation function, a nonce is required in addition
1134                  * to the entropy. A nonce must be at least 1/2 of the security
1135                  * strength of the DRBG in size. Thus, entropy + nonce is 3/2
1136                  * of the strength. The consideration of a nonce is only
1137                  * applicable during initial seeding.
1138                  */
1139                 BUG_ON(!entropylen);
1140                 if (!reseed)
1141                         entropylen = ((entropylen + 1) / 2) * 3;
1142                 BUG_ON((entropylen * 2) > sizeof(entropy));
1143
1144                 /* Get seed from in-kernel /dev/urandom */
1145                 get_random_bytes(entropy, entropylen);
1146
1147                 if (!drbg->jent) {
1148                         drbg_string_fill(&data1, entropy, entropylen);
1149                         pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1150                                  entropylen);
1151                 } else {
1152                         /* Get seed from Jitter RNG */
1153                         ret = crypto_rng_get_bytes(drbg->jent,
1154                                                    entropy + entropylen,
1155                                                    entropylen);
1156                         if (ret) {
1157                                 pr_devel("DRBG: jent failed with %d\n", ret);
1158                                 return ret;
1159                         }
1160
1161                         drbg_string_fill(&data1, entropy, entropylen * 2);
1162                         pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1163                                  entropylen * 2);
1164                 }
1165         }
1166         list_add_tail(&data1.list, &seedlist);
1167
1168         /*
1169          * concatenation of entropy with personalization str / addtl input)
1170          * the variable pers is directly handed in by the caller, so check its
1171          * contents whether it is appropriate
1172          */
1173         if (pers && pers->buf && 0 < pers->len) {
1174                 list_add_tail(&pers->list, &seedlist);
1175                 pr_devel("DRBG: using personalization string\n");
1176         }
1177
1178         if (!reseed) {
1179                 memset(drbg->V, 0, drbg_statelen(drbg));
1180                 memset(drbg->C, 0, drbg_statelen(drbg));
1181         }
1182
1183         ret = __drbg_seed(drbg, &seedlist, reseed);
1184
1185         memzero_explicit(entropy, entropylen * 2);
1186
1187         return ret;
1188 }
1189
1190 /* Free all substructures in a DRBG state without the DRBG state structure */
1191 static inline void drbg_dealloc_state(struct drbg_state *drbg)
1192 {
1193         if (!drbg)
1194                 return;
1195         kzfree(drbg->V);
1196         drbg->V = NULL;
1197         kzfree(drbg->C);
1198         drbg->C = NULL;
1199         kzfree(drbg->scratchpad);
1200         drbg->scratchpad = NULL;
1201         drbg->reseed_ctr = 0;
1202         drbg->d_ops = NULL;
1203         drbg->core = NULL;
1204 #ifdef CONFIG_CRYPTO_FIPS
1205         kzfree(drbg->prev);
1206         drbg->prev = NULL;
1207         drbg->fips_primed = false;
1208 #endif
1209 }
1210
1211 /*
1212  * Allocate all sub-structures for a DRBG state.
1213  * The DRBG state structure must already be allocated.
1214  */
1215 static inline int drbg_alloc_state(struct drbg_state *drbg)
1216 {
1217         int ret = -ENOMEM;
1218         unsigned int sb_size = 0;
1219
1220         switch (drbg->core->flags & DRBG_TYPE_MASK) {
1221 #ifdef CONFIG_CRYPTO_DRBG_HMAC
1222         case DRBG_HMAC:
1223                 drbg->d_ops = &drbg_hmac_ops;
1224                 break;
1225 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
1226 #ifdef CONFIG_CRYPTO_DRBG_HASH
1227         case DRBG_HASH:
1228                 drbg->d_ops = &drbg_hash_ops;
1229                 break;
1230 #endif /* CONFIG_CRYPTO_DRBG_HASH */
1231 #ifdef CONFIG_CRYPTO_DRBG_CTR
1232         case DRBG_CTR:
1233                 drbg->d_ops = &drbg_ctr_ops;
1234                 break;
1235 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1236         default:
1237                 ret = -EOPNOTSUPP;
1238                 goto err;
1239         }
1240
1241         drbg->V = kmalloc(drbg_statelen(drbg), GFP_KERNEL);
1242         if (!drbg->V)
1243                 goto err;
1244         drbg->C = kmalloc(drbg_statelen(drbg), GFP_KERNEL);
1245         if (!drbg->C)
1246                 goto err;
1247 #ifdef CONFIG_CRYPTO_FIPS
1248         drbg->prev = kmalloc(drbg_blocklen(drbg), GFP_KERNEL);
1249         if (!drbg->prev)
1250                 goto err;
1251         drbg->fips_primed = false;
1252 #endif
1253         /* scratchpad is only generated for CTR and Hash */
1254         if (drbg->core->flags & DRBG_HMAC)
1255                 sb_size = 0;
1256         else if (drbg->core->flags & DRBG_CTR)
1257                 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */
1258                           drbg_statelen(drbg) + /* df_data */
1259                           drbg_blocklen(drbg) + /* pad */
1260                           drbg_blocklen(drbg) + /* iv */
1261                           drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */
1262         else
1263                 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1264
1265         if (0 < sb_size) {
1266                 drbg->scratchpad = kzalloc(sb_size, GFP_KERNEL);
1267                 if (!drbg->scratchpad)
1268                         goto err;
1269         }
1270
1271         return 0;
1272
1273 err:
1274         drbg_dealloc_state(drbg);
1275         return ret;
1276 }
1277
1278 /*************************************************************************
1279  * DRBG interface functions
1280  *************************************************************************/
1281
1282 /*
1283  * DRBG generate function as required by SP800-90A - this function
1284  * generates random numbers
1285  *
1286  * @drbg DRBG state handle
1287  * @buf Buffer where to store the random numbers -- the buffer must already
1288  *      be pre-allocated by caller
1289  * @buflen Length of output buffer - this value defines the number of random
1290  *         bytes pulled from DRBG
1291  * @addtl Additional input that is mixed into state, may be NULL -- note
1292  *        the entropy is pulled by the DRBG internally unconditionally
1293  *        as defined in SP800-90A. The additional input is mixed into
1294  *        the state in addition to the pulled entropy.
1295  *
1296  * return: 0 when all bytes are generated; < 0 in case of an error
1297  */
1298 static int drbg_generate(struct drbg_state *drbg,
1299                          unsigned char *buf, unsigned int buflen,
1300                          struct drbg_string *addtl)
1301 {
1302         int len = 0;
1303         LIST_HEAD(addtllist);
1304
1305         if (!drbg->core) {
1306                 pr_devel("DRBG: not yet seeded\n");
1307                 return -EINVAL;
1308         }
1309         if (0 == buflen || !buf) {
1310                 pr_devel("DRBG: no output buffer provided\n");
1311                 return -EINVAL;
1312         }
1313         if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1314                 pr_devel("DRBG: wrong format of additional information\n");
1315                 return -EINVAL;
1316         }
1317
1318         /* 9.3.1 step 2 */
1319         len = -EINVAL;
1320         if (buflen > (drbg_max_request_bytes(drbg))) {
1321                 pr_devel("DRBG: requested random numbers too large %u\n",
1322                          buflen);
1323                 goto err;
1324         }
1325
1326         /* 9.3.1 step 3 is implicit with the chosen DRBG */
1327
1328         /* 9.3.1 step 4 */
1329         if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1330                 pr_devel("DRBG: additional information string too long %zu\n",
1331                          addtl->len);
1332                 goto err;
1333         }
1334         /* 9.3.1 step 5 is implicit with the chosen DRBG */
1335
1336         /*
1337          * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented
1338          * here. The spec is a bit convoluted here, we make it simpler.
1339          */
1340         if (drbg->reseed_threshold < drbg->reseed_ctr)
1341                 drbg->seeded = false;
1342
1343         if (drbg->pr || !drbg->seeded) {
1344                 pr_devel("DRBG: reseeding before generation (prediction "
1345                          "resistance: %s, state %s)\n",
1346                          drbg->pr ? "true" : "false",
1347                          drbg->seeded ? "seeded" : "unseeded");
1348                 /* 9.3.1 steps 7.1 through 7.3 */
1349                 len = drbg_seed(drbg, addtl, true);
1350                 if (len)
1351                         goto err;
1352                 /* 9.3.1 step 7.4 */
1353                 addtl = NULL;
1354         }
1355
1356         if (addtl && 0 < addtl->len)
1357                 list_add_tail(&addtl->list, &addtllist);
1358         /* 9.3.1 step 8 and 10 */
1359         len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1360
1361         /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
1362         drbg->reseed_ctr++;
1363         if (0 >= len)
1364                 goto err;
1365
1366         /*
1367          * Section 11.3.3 requires to re-perform self tests after some
1368          * generated random numbers. The chosen value after which self
1369          * test is performed is arbitrary, but it should be reasonable.
1370          * However, we do not perform the self tests because of the following
1371          * reasons: it is mathematically impossible that the initial self tests
1372          * were successfully and the following are not. If the initial would
1373          * pass and the following would not, the kernel integrity is violated.
1374          * In this case, the entire kernel operation is questionable and it
1375          * is unlikely that the integrity violation only affects the
1376          * correct operation of the DRBG.
1377          *
1378          * Albeit the following code is commented out, it is provided in
1379          * case somebody has a need to implement the test of 11.3.3.
1380          */
1381 #if 0
1382         if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1383                 int err = 0;
1384                 pr_devel("DRBG: start to perform self test\n");
1385                 if (drbg->core->flags & DRBG_HMAC)
1386                         err = alg_test("drbg_pr_hmac_sha256",
1387                                        "drbg_pr_hmac_sha256", 0, 0);
1388                 else if (drbg->core->flags & DRBG_CTR)
1389                         err = alg_test("drbg_pr_ctr_aes128",
1390                                        "drbg_pr_ctr_aes128", 0, 0);
1391                 else
1392                         err = alg_test("drbg_pr_sha256",
1393                                        "drbg_pr_sha256", 0, 0);
1394                 if (err) {
1395                         pr_err("DRBG: periodical self test failed\n");
1396                         /*
1397                          * uninstantiate implies that from now on, only errors
1398                          * are returned when reusing this DRBG cipher handle
1399                          */
1400                         drbg_uninstantiate(drbg);
1401                         return 0;
1402                 } else {
1403                         pr_devel("DRBG: self test successful\n");
1404                 }
1405         }
1406 #endif
1407
1408         /*
1409          * All operations were successful, return 0 as mandated by
1410          * the kernel crypto API interface.
1411          */
1412         len = 0;
1413 err:
1414         return len;
1415 }
1416
1417 /*
1418  * Wrapper around drbg_generate which can pull arbitrary long strings
1419  * from the DRBG without hitting the maximum request limitation.
1420  *
1421  * Parameters: see drbg_generate
1422  * Return codes: see drbg_generate -- if one drbg_generate request fails,
1423  *               the entire drbg_generate_long request fails
1424  */
1425 static int drbg_generate_long(struct drbg_state *drbg,
1426                               unsigned char *buf, unsigned int buflen,
1427                               struct drbg_string *addtl)
1428 {
1429         unsigned int len = 0;
1430         unsigned int slice = 0;
1431         do {
1432                 int err = 0;
1433                 unsigned int chunk = 0;
1434                 slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1435                 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1436                 mutex_lock(&drbg->drbg_mutex);
1437                 err = drbg_generate(drbg, buf + len, chunk, addtl);
1438                 mutex_unlock(&drbg->drbg_mutex);
1439                 if (0 > err)
1440                         return err;
1441                 len += chunk;
1442         } while (slice > 0 && (len < buflen));
1443         return 0;
1444 }
1445
1446 static void drbg_schedule_async_seed(struct random_ready_callback *rdy)
1447 {
1448         struct drbg_state *drbg = container_of(rdy, struct drbg_state,
1449                                                random_ready);
1450
1451         schedule_work(&drbg->seed_work);
1452 }
1453
1454 static int drbg_prepare_hrng(struct drbg_state *drbg)
1455 {
1456         int err;
1457
1458         /* We do not need an HRNG in test mode. */
1459         if (list_empty(&drbg->test_data.list))
1460                 return 0;
1461
1462         INIT_WORK(&drbg->seed_work, drbg_async_seed);
1463
1464         drbg->random_ready.owner = THIS_MODULE;
1465         drbg->random_ready.func = drbg_schedule_async_seed;
1466
1467         err = add_random_ready_callback(&drbg->random_ready);
1468
1469         switch (err) {
1470         case 0:
1471                 break;
1472
1473         case -EALREADY:
1474                 err = 0;
1475                 /* fall through */
1476
1477         default:
1478                 drbg->random_ready.func = NULL;
1479                 return err;
1480         }
1481
1482         drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1483
1484         /*
1485          * Require frequent reseeds until the seed source is fully
1486          * initialized.
1487          */
1488         drbg->reseed_threshold = 50;
1489
1490         return err;
1491 }
1492
1493 /*
1494  * DRBG instantiation function as required by SP800-90A - this function
1495  * sets up the DRBG handle, performs the initial seeding and all sanity
1496  * checks required by SP800-90A
1497  *
1498  * @drbg memory of state -- if NULL, new memory is allocated
1499  * @pers Personalization string that is mixed into state, may be NULL -- note
1500  *       the entropy is pulled by the DRBG internally unconditionally
1501  *       as defined in SP800-90A. The additional input is mixed into
1502  *       the state in addition to the pulled entropy.
1503  * @coreref reference to core
1504  * @pr prediction resistance enabled
1505  *
1506  * return
1507  *      0 on success
1508  *      error value otherwise
1509  */
1510 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1511                             int coreref, bool pr)
1512 {
1513         int ret;
1514         bool reseed = true;
1515
1516         pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1517                  "%s\n", coreref, pr ? "enabled" : "disabled");
1518         mutex_lock(&drbg->drbg_mutex);
1519
1520         /* 9.1 step 1 is implicit with the selected DRBG type */
1521
1522         /*
1523          * 9.1 step 2 is implicit as caller can select prediction resistance
1524          * and the flag is copied into drbg->flags --
1525          * all DRBG types support prediction resistance
1526          */
1527
1528         /* 9.1 step 4 is implicit in  drbg_sec_strength */
1529
1530         if (!drbg->core) {
1531                 drbg->core = &drbg_cores[coreref];
1532                 drbg->pr = pr;
1533                 drbg->seeded = false;
1534                 drbg->reseed_threshold = drbg_max_requests(drbg);
1535
1536                 ret = drbg_alloc_state(drbg);
1537                 if (ret)
1538                         goto unlock;
1539
1540                 ret = -EFAULT;
1541                 if (drbg->d_ops->crypto_init(drbg))
1542                         goto err;
1543
1544                 ret = drbg_prepare_hrng(drbg);
1545                 if (ret)
1546                         goto free_everything;
1547
1548                 if (IS_ERR(drbg->jent)) {
1549                         ret = PTR_ERR(drbg->jent);
1550                         drbg->jent = NULL;
1551                         if (fips_enabled || ret != -ENOENT)
1552                                 goto free_everything;
1553                         pr_info("DRBG: Continuing without Jitter RNG\n");
1554                 }
1555
1556                 reseed = false;
1557         }
1558
1559         ret = drbg_seed(drbg, pers, reseed);
1560
1561         if (ret && !reseed)
1562                 goto free_everything;
1563
1564         mutex_unlock(&drbg->drbg_mutex);
1565         return ret;
1566
1567 err:
1568         drbg_dealloc_state(drbg);
1569 unlock:
1570         mutex_unlock(&drbg->drbg_mutex);
1571         return ret;
1572
1573 free_everything:
1574         mutex_unlock(&drbg->drbg_mutex);
1575         drbg_uninstantiate(drbg);
1576         return ret;
1577 }
1578
1579 /*
1580  * DRBG uninstantiate function as required by SP800-90A - this function
1581  * frees all buffers and the DRBG handle
1582  *
1583  * @drbg DRBG state handle
1584  *
1585  * return
1586  *      0 on success
1587  */
1588 static int drbg_uninstantiate(struct drbg_state *drbg)
1589 {
1590         if (drbg->random_ready.func) {
1591                 del_random_ready_callback(&drbg->random_ready);
1592                 cancel_work_sync(&drbg->seed_work);
1593                 crypto_free_rng(drbg->jent);
1594                 drbg->jent = NULL;
1595         }
1596
1597         if (drbg->d_ops)
1598                 drbg->d_ops->crypto_fini(drbg);
1599         drbg_dealloc_state(drbg);
1600         /* no scrubbing of test_data -- this shall survive an uninstantiate */
1601         return 0;
1602 }
1603
1604 /*
1605  * Helper function for setting the test data in the DRBG
1606  *
1607  * @drbg DRBG state handle
1608  * @data test data
1609  * @len test data length
1610  */
1611 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
1612                                    const u8 *data, unsigned int len)
1613 {
1614         struct drbg_state *drbg = crypto_rng_ctx(tfm);
1615
1616         mutex_lock(&drbg->drbg_mutex);
1617         drbg_string_fill(&drbg->test_data, data, len);
1618         mutex_unlock(&drbg->drbg_mutex);
1619 }
1620
1621 /***************************************************************
1622  * Kernel crypto API cipher invocations requested by DRBG
1623  ***************************************************************/
1624
1625 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1626 struct sdesc {
1627         struct shash_desc shash;
1628         char ctx[];
1629 };
1630
1631 static int drbg_init_hash_kernel(struct drbg_state *drbg)
1632 {
1633         struct sdesc *sdesc;
1634         struct crypto_shash *tfm;
1635
1636         tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1637         if (IS_ERR(tfm)) {
1638                 pr_info("DRBG: could not allocate digest TFM handle: %s\n",
1639                                 drbg->core->backend_cra_name);
1640                 return PTR_ERR(tfm);
1641         }
1642         BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1643         sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1644                         GFP_KERNEL);
1645         if (!sdesc) {
1646                 crypto_free_shash(tfm);
1647                 return -ENOMEM;
1648         }
1649
1650         sdesc->shash.tfm = tfm;
1651         sdesc->shash.flags = 0;
1652         drbg->priv_data = sdesc;
1653         return 0;
1654 }
1655
1656 static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1657 {
1658         struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1659         if (sdesc) {
1660                 crypto_free_shash(sdesc->shash.tfm);
1661                 kzfree(sdesc);
1662         }
1663         drbg->priv_data = NULL;
1664         return 0;
1665 }
1666
1667 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key,
1668                            unsigned char *outval, const struct list_head *in)
1669 {
1670         struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1671         struct drbg_string *input = NULL;
1672
1673         if (key)
1674                 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1675         crypto_shash_init(&sdesc->shash);
1676         list_for_each_entry(input, in, list)
1677                 crypto_shash_update(&sdesc->shash, input->buf, input->len);
1678         return crypto_shash_final(&sdesc->shash, outval);
1679 }
1680 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
1681
1682 #ifdef CONFIG_CRYPTO_DRBG_CTR
1683 static int drbg_init_sym_kernel(struct drbg_state *drbg)
1684 {
1685         int ret = 0;
1686         struct crypto_cipher *tfm;
1687
1688         tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);
1689         if (IS_ERR(tfm)) {
1690                 pr_info("DRBG: could not allocate cipher TFM handle: %s\n",
1691                                 drbg->core->backend_cra_name);
1692                 return PTR_ERR(tfm);
1693         }
1694         BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm));
1695         drbg->priv_data = tfm;
1696         return ret;
1697 }
1698
1699 static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1700 {
1701         struct crypto_cipher *tfm =
1702                 (struct crypto_cipher *)drbg->priv_data;
1703         if (tfm)
1704                 crypto_free_cipher(tfm);
1705         drbg->priv_data = NULL;
1706         return 0;
1707 }
1708
1709 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key,
1710                           unsigned char *outval, const struct drbg_string *in)
1711 {
1712         struct crypto_cipher *tfm =
1713                 (struct crypto_cipher *)drbg->priv_data;
1714
1715         crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg)));
1716         /* there is only component in *in */
1717         BUG_ON(in->len < drbg_blocklen(drbg));
1718         crypto_cipher_encrypt_one(tfm, outval, in->buf);
1719         return 0;
1720 }
1721 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1722
1723 /***************************************************************
1724  * Kernel crypto API interface to register DRBG
1725  ***************************************************************/
1726
1727 /*
1728  * Look up the DRBG flags by given kernel crypto API cra_name
1729  * The code uses the drbg_cores definition to do this
1730  *
1731  * @cra_name kernel crypto API cra_name
1732  * @coreref reference to integer which is filled with the pointer to
1733  *  the applicable core
1734  * @pr reference for setting prediction resistance
1735  *
1736  * return: flags
1737  */
1738 static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1739                                          int *coreref, bool *pr)
1740 {
1741         int i = 0;
1742         size_t start = 0;
1743         int len = 0;
1744
1745         *pr = true;
1746         /* disassemble the names */
1747         if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1748                 start = 10;
1749                 *pr = false;
1750         } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1751                 start = 8;
1752         } else {
1753                 return;
1754         }
1755
1756         /* remove the first part */
1757         len = strlen(cra_driver_name) - start;
1758         for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1759                 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1760                             len)) {
1761                         *coreref = i;
1762                         return;
1763                 }
1764         }
1765 }
1766
1767 static int drbg_kcapi_init(struct crypto_tfm *tfm)
1768 {
1769         struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1770
1771         mutex_init(&drbg->drbg_mutex);
1772
1773         return 0;
1774 }
1775
1776 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1777 {
1778         drbg_uninstantiate(crypto_tfm_ctx(tfm));
1779 }
1780
1781 /*
1782  * Generate random numbers invoked by the kernel crypto API:
1783  * The API of the kernel crypto API is extended as follows:
1784  *
1785  * src is additional input supplied to the RNG.
1786  * slen is the length of src.
1787  * dst is the output buffer where random data is to be stored.
1788  * dlen is the length of dst.
1789  */
1790 static int drbg_kcapi_random(struct crypto_rng *tfm,
1791                              const u8 *src, unsigned int slen,
1792                              u8 *dst, unsigned int dlen)
1793 {
1794         struct drbg_state *drbg = crypto_rng_ctx(tfm);
1795         struct drbg_string *addtl = NULL;
1796         struct drbg_string string;
1797
1798         if (slen) {
1799                 /* linked list variable is now local to allow modification */
1800                 drbg_string_fill(&string, src, slen);
1801                 addtl = &string;
1802         }
1803
1804         return drbg_generate_long(drbg, dst, dlen, addtl);
1805 }
1806
1807 /*
1808  * Seed the DRBG invoked by the kernel crypto API
1809  */
1810 static int drbg_kcapi_seed(struct crypto_rng *tfm,
1811                            const u8 *seed, unsigned int slen)
1812 {
1813         struct drbg_state *drbg = crypto_rng_ctx(tfm);
1814         struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1815         bool pr = false;
1816         struct drbg_string string;
1817         struct drbg_string *seed_string = NULL;
1818         int coreref = 0;
1819
1820         drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1821                               &pr);
1822         if (0 < slen) {
1823                 drbg_string_fill(&string, seed, slen);
1824                 seed_string = &string;
1825         }
1826
1827         return drbg_instantiate(drbg, seed_string, coreref, pr);
1828 }
1829
1830 /***************************************************************
1831  * Kernel module: code to load the module
1832  ***************************************************************/
1833
1834 /*
1835  * Tests as defined in 11.3.2 in addition to the cipher tests: testing
1836  * of the error handling.
1837  *
1838  * Note: testing of failing seed source as defined in 11.3.2 is not applicable
1839  * as seed source of get_random_bytes does not fail.
1840  *
1841  * Note 2: There is no sensible way of testing the reseed counter
1842  * enforcement, so skip it.
1843  */
1844 static inline int __init drbg_healthcheck_sanity(void)
1845 {
1846         int len = 0;
1847 #define OUTBUFLEN 16
1848         unsigned char buf[OUTBUFLEN];
1849         struct drbg_state *drbg = NULL;
1850         int ret = -EFAULT;
1851         int rc = -EFAULT;
1852         bool pr = false;
1853         int coreref = 0;
1854         struct drbg_string addtl;
1855         size_t max_addtllen, max_request_bytes;
1856
1857         /* only perform test in FIPS mode */
1858         if (!fips_enabled)
1859                 return 0;
1860
1861 #ifdef CONFIG_CRYPTO_DRBG_CTR
1862         drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
1863 #elif defined CONFIG_CRYPTO_DRBG_HASH
1864         drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
1865 #else
1866         drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
1867 #endif
1868
1869         drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
1870         if (!drbg)
1871                 return -ENOMEM;
1872
1873         mutex_init(&drbg->drbg_mutex);
1874
1875         /*
1876          * if the following tests fail, it is likely that there is a buffer
1877          * overflow as buf is much smaller than the requested or provided
1878          * string lengths -- in case the error handling does not succeed
1879          * we may get an OOPS. And we want to get an OOPS as this is a
1880          * grave bug.
1881          */
1882
1883         /* get a valid instance of DRBG for following tests */
1884         ret = drbg_instantiate(drbg, NULL, coreref, pr);
1885         if (ret) {
1886                 rc = ret;
1887                 goto outbuf;
1888         }
1889         max_addtllen = drbg_max_addtl(drbg);
1890         max_request_bytes = drbg_max_request_bytes(drbg);
1891         drbg_string_fill(&addtl, buf, max_addtllen + 1);
1892         /* overflow addtllen with additonal info string */
1893         len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
1894         BUG_ON(0 < len);
1895         /* overflow max_bits */
1896         len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
1897         BUG_ON(0 < len);
1898         drbg_uninstantiate(drbg);
1899
1900         /* overflow max addtllen with personalization string */
1901         ret = drbg_instantiate(drbg, &addtl, coreref, pr);
1902         BUG_ON(0 == ret);
1903         /* all tests passed */
1904         rc = 0;
1905
1906         pr_devel("DRBG: Sanity tests for failure code paths successfully "
1907                  "completed\n");
1908
1909         drbg_uninstantiate(drbg);
1910 outbuf:
1911         kzfree(drbg);
1912         return rc;
1913 }
1914
1915 static struct rng_alg drbg_algs[22];
1916
1917 /*
1918  * Fill the array drbg_algs used to register the different DRBGs
1919  * with the kernel crypto API. To fill the array, the information
1920  * from drbg_cores[] is used.
1921  */
1922 static inline void __init drbg_fill_array(struct rng_alg *alg,
1923                                           const struct drbg_core *core, int pr)
1924 {
1925         int pos = 0;
1926         static int priority = 200;
1927
1928         memcpy(alg->base.cra_name, "stdrng", 6);
1929         if (pr) {
1930                 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
1931                 pos = 8;
1932         } else {
1933                 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
1934                 pos = 10;
1935         }
1936         memcpy(alg->base.cra_driver_name + pos, core->cra_name,
1937                strlen(core->cra_name));
1938
1939         alg->base.cra_priority = priority;
1940         priority++;
1941         /*
1942          * If FIPS mode enabled, the selected DRBG shall have the
1943          * highest cra_priority over other stdrng instances to ensure
1944          * it is selected.
1945          */
1946         if (fips_enabled)
1947                 alg->base.cra_priority += 200;
1948
1949         alg->base.cra_ctxsize   = sizeof(struct drbg_state);
1950         alg->base.cra_module    = THIS_MODULE;
1951         alg->base.cra_init      = drbg_kcapi_init;
1952         alg->base.cra_exit      = drbg_kcapi_cleanup;
1953         alg->generate           = drbg_kcapi_random;
1954         alg->seed               = drbg_kcapi_seed;
1955         alg->set_ent            = drbg_kcapi_set_entropy;
1956         alg->seedsize           = 0;
1957 }
1958
1959 static int __init drbg_init(void)
1960 {
1961         unsigned int i = 0; /* pointer to drbg_algs */
1962         unsigned int j = 0; /* pointer to drbg_cores */
1963         int ret = -EFAULT;
1964
1965         ret = drbg_healthcheck_sanity();
1966         if (ret)
1967                 return ret;
1968
1969         if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
1970                 pr_info("DRBG: Cannot register all DRBG types"
1971                         "(slots needed: %zu, slots available: %zu)\n",
1972                         ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
1973                 return ret;
1974         }
1975
1976         /*
1977          * each DRBG definition can be used with PR and without PR, thus
1978          * we instantiate each DRBG in drbg_cores[] twice.
1979          *
1980          * As the order of placing them into the drbg_algs array matters
1981          * (the later DRBGs receive a higher cra_priority) we register the
1982          * prediction resistance DRBGs first as the should not be too
1983          * interesting.
1984          */
1985         for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
1986                 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
1987         for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
1988                 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
1989         return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
1990 }
1991
1992 static void __exit drbg_exit(void)
1993 {
1994         crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
1995 }
1996
1997 module_init(drbg_init);
1998 module_exit(drbg_exit);
1999 #ifndef CRYPTO_DRBG_HASH_STRING
2000 #define CRYPTO_DRBG_HASH_STRING ""
2001 #endif
2002 #ifndef CRYPTO_DRBG_HMAC_STRING
2003 #define CRYPTO_DRBG_HMAC_STRING ""
2004 #endif
2005 #ifndef CRYPTO_DRBG_CTR_STRING
2006 #define CRYPTO_DRBG_CTR_STRING ""
2007 #endif
2008 MODULE_LICENSE("GPL");
2009 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
2010 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
2011                    "using following cores: "
2012                    CRYPTO_DRBG_HASH_STRING
2013                    CRYPTO_DRBG_HMAC_STRING
2014                    CRYPTO_DRBG_CTR_STRING);
2015 MODULE_ALIAS_CRYPTO("stdrng");