Commit | Line | Data |
---|---|---|
3e16f959 SM |
1 | /* |
2 | * DRBG based on NIST SP800-90A | |
3 | * | |
4 | * Copyright Stephan Mueller <smueller@chronox.de>, 2014 | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, and the entire permission notice in its entirety, | |
11 | * including the disclaimer of warranties. | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | |
15 | * 3. The name of the author may not be used to endorse or promote | |
16 | * products derived from this software without specific prior | |
17 | * written permission. | |
18 | * | |
19 | * ALTERNATIVELY, this product may be distributed under the terms of | |
20 | * the GNU General Public License, in which case the provisions of the GPL are | |
21 | * required INSTEAD OF the above restrictions. (This clause is | |
22 | * necessary due to a potential bad interaction between the GPL and | |
23 | * the restrictions contained in a BSD-style copyright.) | |
24 | * | |
25 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED | |
26 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
27 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF | |
28 | * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE | |
29 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
30 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT | |
31 | * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | |
32 | * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | |
33 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
34 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE | |
35 | * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH | |
36 | * DAMAGE. | |
37 | */ | |
38 | ||
39 | #ifndef _DRBG_H | |
40 | #define _DRBG_H | |
41 | ||
42 | ||
43 | #include <linux/random.h> | |
44 | #include <linux/scatterlist.h> | |
45 | #include <crypto/hash.h> | |
46 | #include <linux/module.h> | |
47 | #include <linux/crypto.h> | |
48 | #include <linux/slab.h> | |
49 | #include <crypto/internal/rng.h> | |
50 | #include <crypto/rng.h> | |
51 | #include <linux/fips.h> | |
52 | #include <linux/spinlock.h> | |
53 | ||
54 | /* | |
55 | * Concatenation Helper and string operation helper | |
56 | * | |
57 | * SP800-90A requires the concatenation of different data. To avoid copying | |
58 | * buffers around or allocate additional memory, the following data structure | |
59 | * is used to point to the original memory with its size. In addition, it | |
60 | * is used to build a linked list. The linked list defines the concatenation | |
61 | * of individual buffers. The order of memory block referenced in that | |
62 | * linked list determines the order of concatenation. | |
63 | */ | |
64 | struct drbg_string { | |
65 | const unsigned char *buf; | |
66 | size_t len; | |
67 | struct drbg_string *next; | |
68 | }; | |
69 | ||
70 | static inline void drbg_string_fill(struct drbg_string *string, | |
71 | const unsigned char *buf, size_t len) | |
72 | { | |
73 | string->buf = buf; | |
74 | string->len = len; | |
75 | string->next = NULL; | |
76 | } | |
77 | ||
78 | struct drbg_state; | |
79 | typedef uint32_t drbg_flag_t; | |
80 | ||
81 | struct drbg_core { | |
82 | drbg_flag_t flags; /* flags for the cipher */ | |
83 | __u8 statelen; /* maximum state length */ | |
84 | /* | |
85 | * maximum length of personalization string or additional input | |
86 | * string -- exponent for base 2 | |
87 | */ | |
88 | __u8 max_addtllen; | |
89 | /* maximum bits per RNG request -- exponent for base 2*/ | |
90 | __u8 max_bits; | |
91 | /* maximum number of requests -- exponent for base 2 */ | |
92 | __u8 max_req; | |
93 | __u8 blocklen_bytes; /* block size of output in bytes */ | |
94 | char cra_name[CRYPTO_MAX_ALG_NAME]; /* mapping to kernel crypto API */ | |
95 | /* kernel crypto API backend cipher name */ | |
96 | char backend_cra_name[CRYPTO_MAX_ALG_NAME]; | |
97 | }; | |
98 | ||
99 | struct drbg_state_ops { | |
100 | int (*update)(struct drbg_state *drbg, struct drbg_string *seed, | |
101 | int reseed); | |
102 | int (*generate)(struct drbg_state *drbg, | |
103 | unsigned char *buf, unsigned int buflen, | |
104 | struct drbg_string *addtl); | |
105 | int (*crypto_init)(struct drbg_state *drbg); | |
106 | int (*crypto_fini)(struct drbg_state *drbg); | |
107 | ||
108 | }; | |
109 | ||
110 | struct drbg_test_data { | |
111 | struct drbg_string *testentropy; /* TEST PARAMETER: test entropy */ | |
112 | }; | |
113 | ||
114 | struct drbg_state { | |
115 | spinlock_t drbg_lock; /* lock around DRBG */ | |
116 | unsigned char *V; /* internal state 10.1.1.1 1a) */ | |
117 | /* hash: static value 10.1.1.1 1b) hmac / ctr: key */ | |
118 | unsigned char *C; | |
119 | /* Number of RNG requests since last reseed -- 10.1.1.1 1c) */ | |
120 | size_t reseed_ctr; | |
121 | /* some memory the DRBG can use for its operation */ | |
122 | unsigned char *scratchpad; | |
123 | void *priv_data; /* Cipher handle */ | |
124 | bool seeded; /* DRBG fully seeded? */ | |
125 | bool pr; /* Prediction resistance enabled? */ | |
126 | #ifdef CONFIG_CRYPTO_FIPS | |
127 | bool fips_primed; /* Continuous test primed? */ | |
128 | unsigned char *prev; /* FIPS 140-2 continuous test value */ | |
129 | #endif | |
130 | const struct drbg_state_ops *d_ops; | |
131 | const struct drbg_core *core; | |
132 | struct drbg_test_data *test_data; | |
133 | }; | |
134 | ||
135 | static inline __u8 drbg_statelen(struct drbg_state *drbg) | |
136 | { | |
137 | if (drbg && drbg->core) | |
138 | return drbg->core->statelen; | |
139 | return 0; | |
140 | } | |
141 | ||
142 | static inline __u8 drbg_blocklen(struct drbg_state *drbg) | |
143 | { | |
144 | if (drbg && drbg->core) | |
145 | return drbg->core->blocklen_bytes; | |
146 | return 0; | |
147 | } | |
148 | ||
149 | static inline __u8 drbg_keylen(struct drbg_state *drbg) | |
150 | { | |
151 | if (drbg && drbg->core) | |
152 | return (drbg->core->statelen - drbg->core->blocklen_bytes); | |
153 | return 0; | |
154 | } | |
155 | ||
156 | static inline size_t drbg_max_request_bytes(struct drbg_state *drbg) | |
157 | { | |
158 | /* max_bits is in bits, but buflen is in bytes */ | |
159 | return (1 << (drbg->core->max_bits - 3)); | |
160 | } | |
161 | ||
162 | static inline size_t drbg_max_addtl(struct drbg_state *drbg) | |
163 | { | |
164 | return (1UL<<(drbg->core->max_addtllen)); | |
165 | } | |
166 | ||
167 | static inline size_t drbg_max_requests(struct drbg_state *drbg) | |
168 | { | |
169 | return (1UL<<(drbg->core->max_req)); | |
170 | } | |
171 | ||
172 | /* | |
173 | * kernel crypto API input data structure for DRBG generate in case dlen | |
174 | * is set to 0 | |
175 | */ | |
176 | struct drbg_gen { | |
177 | unsigned char *outbuf; /* output buffer for random numbers */ | |
178 | unsigned int outlen; /* size of output buffer */ | |
179 | struct drbg_string *addtl; /* additional information string */ | |
180 | struct drbg_test_data *test_data; /* test data */ | |
181 | }; | |
182 | ||
183 | /* | |
184 | * This is a wrapper to the kernel crypto API function of | |
185 | * crypto_rng_get_bytes() to allow the caller to provide additional data. | |
186 | * | |
187 | * @drng DRBG handle -- see crypto_rng_get_bytes | |
188 | * @outbuf output buffer -- see crypto_rng_get_bytes | |
189 | * @outlen length of output buffer -- see crypto_rng_get_bytes | |
190 | * @addtl_input additional information string input buffer | |
191 | * @addtllen length of additional information string buffer | |
192 | * | |
193 | * return | |
194 | * see crypto_rng_get_bytes | |
195 | */ | |
196 | static inline int crypto_drbg_get_bytes_addtl(struct crypto_rng *drng, | |
197 | unsigned char *outbuf, unsigned int outlen, | |
198 | struct drbg_string *addtl) | |
199 | { | |
200 | int ret; | |
201 | struct drbg_gen genbuf; | |
202 | genbuf.outbuf = outbuf; | |
203 | genbuf.outlen = outlen; | |
204 | genbuf.addtl = addtl; | |
205 | genbuf.test_data = NULL; | |
206 | ret = crypto_rng_get_bytes(drng, (u8 *)&genbuf, 0); | |
207 | return ret; | |
208 | } | |
209 | ||
210 | /* | |
211 | * TEST code | |
212 | * | |
213 | * This is a wrapper to the kernel crypto API function of | |
214 | * crypto_rng_get_bytes() to allow the caller to provide additional data and | |
215 | * allow furnishing of test_data | |
216 | * | |
217 | * @drng DRBG handle -- see crypto_rng_get_bytes | |
218 | * @outbuf output buffer -- see crypto_rng_get_bytes | |
219 | * @outlen length of output buffer -- see crypto_rng_get_bytes | |
220 | * @addtl_input additional information string input buffer | |
221 | * @addtllen length of additional information string buffer | |
222 | * @test_data filled test data | |
223 | * | |
224 | * return | |
225 | * see crypto_rng_get_bytes | |
226 | */ | |
227 | static inline int crypto_drbg_get_bytes_addtl_test(struct crypto_rng *drng, | |
228 | unsigned char *outbuf, unsigned int outlen, | |
229 | struct drbg_string *addtl, | |
230 | struct drbg_test_data *test_data) | |
231 | { | |
232 | int ret; | |
233 | struct drbg_gen genbuf; | |
234 | genbuf.outbuf = outbuf; | |
235 | genbuf.outlen = outlen; | |
236 | genbuf.addtl = addtl; | |
237 | genbuf.test_data = test_data; | |
238 | ret = crypto_rng_get_bytes(drng, (u8 *)&genbuf, 0); | |
239 | return ret; | |
240 | } | |
241 | ||
242 | /* | |
243 | * TEST code | |
244 | * | |
245 | * This is a wrapper to the kernel crypto API function of | |
246 | * crypto_rng_reset() to allow the caller to provide test_data | |
247 | * | |
248 | * @drng DRBG handle -- see crypto_rng_reset | |
249 | * @pers personalization string input buffer | |
250 | * @perslen length of additional information string buffer | |
251 | * @test_data filled test data | |
252 | * | |
253 | * return | |
254 | * see crypto_rng_reset | |
255 | */ | |
256 | static inline int crypto_drbg_reset_test(struct crypto_rng *drng, | |
257 | struct drbg_string *pers, | |
258 | struct drbg_test_data *test_data) | |
259 | { | |
260 | int ret; | |
261 | struct drbg_gen genbuf; | |
262 | genbuf.outbuf = NULL; | |
263 | genbuf.outlen = 0; | |
264 | genbuf.addtl = pers; | |
265 | genbuf.test_data = test_data; | |
266 | ret = crypto_rng_reset(drng, (u8 *)&genbuf, 0); | |
267 | return ret; | |
268 | } | |
269 | ||
270 | /* DRBG type flags */ | |
271 | #define DRBG_CTR ((drbg_flag_t)1<<0) | |
272 | #define DRBG_HMAC ((drbg_flag_t)1<<1) | |
273 | #define DRBG_HASH ((drbg_flag_t)1<<2) | |
274 | #define DRBG_TYPE_MASK (DRBG_CTR | DRBG_HMAC | DRBG_HASH) | |
275 | /* DRBG strength flags */ | |
276 | #define DRBG_STRENGTH128 ((drbg_flag_t)1<<3) | |
277 | #define DRBG_STRENGTH192 ((drbg_flag_t)1<<4) | |
278 | #define DRBG_STRENGTH256 ((drbg_flag_t)1<<5) | |
279 | #define DRBG_STRENGTH_MASK (DRBG_STRENGTH128 | DRBG_STRENGTH192 | \ | |
280 | DRBG_STRENGTH256) | |
281 | ||
282 | enum drbg_prefixes { | |
283 | DRBG_PREFIX0 = 0x00, | |
284 | DRBG_PREFIX1, | |
285 | DRBG_PREFIX2, | |
286 | DRBG_PREFIX3 | |
287 | }; | |
288 | ||
289 | #endif /* _DRBG_H */ |