Commit | Line | Data |
---|---|---|
3e16f959 SM |
1 | /* |
2 | * DRBG based on NIST SP800-90A | |
3 | * | |
4 | * Copyright Stephan Mueller <smueller@chronox.de>, 2014 | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, and the entire permission notice in its entirety, | |
11 | * including the disclaimer of warranties. | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | |
15 | * 3. The name of the author may not be used to endorse or promote | |
16 | * products derived from this software without specific prior | |
17 | * written permission. | |
18 | * | |
19 | * ALTERNATIVELY, this product may be distributed under the terms of | |
20 | * the GNU General Public License, in which case the provisions of the GPL are | |
21 | * required INSTEAD OF the above restrictions. (This clause is | |
22 | * necessary due to a potential bad interaction between the GPL and | |
23 | * the restrictions contained in a BSD-style copyright.) | |
24 | * | |
25 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED | |
26 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
27 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF | |
28 | * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE | |
29 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
30 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT | |
31 | * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | |
32 | * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | |
33 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
34 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE | |
35 | * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH | |
36 | * DAMAGE. | |
37 | */ | |
38 | ||
39 | #ifndef _DRBG_H | |
40 | #define _DRBG_H | |
41 | ||
42 | ||
43 | #include <linux/random.h> | |
44 | #include <linux/scatterlist.h> | |
45 | #include <crypto/hash.h> | |
46 | #include <linux/module.h> | |
47 | #include <linux/crypto.h> | |
48 | #include <linux/slab.h> | |
49 | #include <crypto/internal/rng.h> | |
50 | #include <crypto/rng.h> | |
51 | #include <linux/fips.h> | |
52 | #include <linux/spinlock.h> | |
8c987166 | 53 | #include <linux/list.h> |
3e16f959 SM |
54 | |
55 | /* | |
56 | * Concatenation Helper and string operation helper | |
57 | * | |
58 | * SP800-90A requires the concatenation of different data. To avoid copying | |
59 | * buffers around or allocate additional memory, the following data structure | |
60 | * is used to point to the original memory with its size. In addition, it | |
61 | * is used to build a linked list. The linked list defines the concatenation | |
62 | * of individual buffers. The order of memory block referenced in that | |
63 | * linked list determines the order of concatenation. | |
64 | */ | |
65 | struct drbg_string { | |
66 | const unsigned char *buf; | |
67 | size_t len; | |
8c987166 | 68 | struct list_head list; |
3e16f959 SM |
69 | }; |
70 | ||
71 | static inline void drbg_string_fill(struct drbg_string *string, | |
72 | const unsigned char *buf, size_t len) | |
73 | { | |
74 | string->buf = buf; | |
75 | string->len = len; | |
8c987166 | 76 | INIT_LIST_HEAD(&string->list); |
3e16f959 SM |
77 | } |
78 | ||
79 | struct drbg_state; | |
80 | typedef uint32_t drbg_flag_t; | |
81 | ||
82 | struct drbg_core { | |
83 | drbg_flag_t flags; /* flags for the cipher */ | |
84 | __u8 statelen; /* maximum state length */ | |
85 | /* | |
86 | * maximum length of personalization string or additional input | |
87 | * string -- exponent for base 2 | |
88 | */ | |
89 | __u8 max_addtllen; | |
90 | /* maximum bits per RNG request -- exponent for base 2*/ | |
91 | __u8 max_bits; | |
92 | /* maximum number of requests -- exponent for base 2 */ | |
93 | __u8 max_req; | |
94 | __u8 blocklen_bytes; /* block size of output in bytes */ | |
95 | char cra_name[CRYPTO_MAX_ALG_NAME]; /* mapping to kernel crypto API */ | |
96 | /* kernel crypto API backend cipher name */ | |
97 | char backend_cra_name[CRYPTO_MAX_ALG_NAME]; | |
98 | }; | |
99 | ||
100 | struct drbg_state_ops { | |
8c987166 | 101 | int (*update)(struct drbg_state *drbg, struct list_head *seed, |
3e16f959 SM |
102 | int reseed); |
103 | int (*generate)(struct drbg_state *drbg, | |
104 | unsigned char *buf, unsigned int buflen, | |
27e4de2b | 105 | struct list_head *addtl); |
3e16f959 SM |
106 | int (*crypto_init)(struct drbg_state *drbg); |
107 | int (*crypto_fini)(struct drbg_state *drbg); | |
108 | ||
109 | }; | |
110 | ||
111 | struct drbg_test_data { | |
112 | struct drbg_string *testentropy; /* TEST PARAMETER: test entropy */ | |
113 | }; | |
114 | ||
115 | struct drbg_state { | |
116 | spinlock_t drbg_lock; /* lock around DRBG */ | |
117 | unsigned char *V; /* internal state 10.1.1.1 1a) */ | |
118 | /* hash: static value 10.1.1.1 1b) hmac / ctr: key */ | |
119 | unsigned char *C; | |
120 | /* Number of RNG requests since last reseed -- 10.1.1.1 1c) */ | |
121 | size_t reseed_ctr; | |
122 | /* some memory the DRBG can use for its operation */ | |
123 | unsigned char *scratchpad; | |
124 | void *priv_data; /* Cipher handle */ | |
125 | bool seeded; /* DRBG fully seeded? */ | |
126 | bool pr; /* Prediction resistance enabled? */ | |
127 | #ifdef CONFIG_CRYPTO_FIPS | |
128 | bool fips_primed; /* Continuous test primed? */ | |
129 | unsigned char *prev; /* FIPS 140-2 continuous test value */ | |
130 | #endif | |
131 | const struct drbg_state_ops *d_ops; | |
132 | const struct drbg_core *core; | |
133 | struct drbg_test_data *test_data; | |
134 | }; | |
135 | ||
136 | static inline __u8 drbg_statelen(struct drbg_state *drbg) | |
137 | { | |
138 | if (drbg && drbg->core) | |
139 | return drbg->core->statelen; | |
140 | return 0; | |
141 | } | |
142 | ||
143 | static inline __u8 drbg_blocklen(struct drbg_state *drbg) | |
144 | { | |
145 | if (drbg && drbg->core) | |
146 | return drbg->core->blocklen_bytes; | |
147 | return 0; | |
148 | } | |
149 | ||
150 | static inline __u8 drbg_keylen(struct drbg_state *drbg) | |
151 | { | |
152 | if (drbg && drbg->core) | |
153 | return (drbg->core->statelen - drbg->core->blocklen_bytes); | |
154 | return 0; | |
155 | } | |
156 | ||
157 | static inline size_t drbg_max_request_bytes(struct drbg_state *drbg) | |
158 | { | |
159 | /* max_bits is in bits, but buflen is in bytes */ | |
160 | return (1 << (drbg->core->max_bits - 3)); | |
161 | } | |
162 | ||
163 | static inline size_t drbg_max_addtl(struct drbg_state *drbg) | |
164 | { | |
165 | return (1UL<<(drbg->core->max_addtllen)); | |
166 | } | |
167 | ||
168 | static inline size_t drbg_max_requests(struct drbg_state *drbg) | |
169 | { | |
170 | return (1UL<<(drbg->core->max_req)); | |
171 | } | |
172 | ||
173 | /* | |
174 | * kernel crypto API input data structure for DRBG generate in case dlen | |
175 | * is set to 0 | |
176 | */ | |
177 | struct drbg_gen { | |
178 | unsigned char *outbuf; /* output buffer for random numbers */ | |
179 | unsigned int outlen; /* size of output buffer */ | |
180 | struct drbg_string *addtl; /* additional information string */ | |
181 | struct drbg_test_data *test_data; /* test data */ | |
182 | }; | |
183 | ||
184 | /* | |
185 | * This is a wrapper to the kernel crypto API function of | |
186 | * crypto_rng_get_bytes() to allow the caller to provide additional data. | |
187 | * | |
188 | * @drng DRBG handle -- see crypto_rng_get_bytes | |
189 | * @outbuf output buffer -- see crypto_rng_get_bytes | |
190 | * @outlen length of output buffer -- see crypto_rng_get_bytes | |
191 | * @addtl_input additional information string input buffer | |
192 | * @addtllen length of additional information string buffer | |
193 | * | |
194 | * return | |
195 | * see crypto_rng_get_bytes | |
196 | */ | |
197 | static inline int crypto_drbg_get_bytes_addtl(struct crypto_rng *drng, | |
198 | unsigned char *outbuf, unsigned int outlen, | |
199 | struct drbg_string *addtl) | |
200 | { | |
201 | int ret; | |
202 | struct drbg_gen genbuf; | |
203 | genbuf.outbuf = outbuf; | |
204 | genbuf.outlen = outlen; | |
205 | genbuf.addtl = addtl; | |
206 | genbuf.test_data = NULL; | |
207 | ret = crypto_rng_get_bytes(drng, (u8 *)&genbuf, 0); | |
208 | return ret; | |
209 | } | |
210 | ||
211 | /* | |
212 | * TEST code | |
213 | * | |
214 | * This is a wrapper to the kernel crypto API function of | |
215 | * crypto_rng_get_bytes() to allow the caller to provide additional data and | |
216 | * allow furnishing of test_data | |
217 | * | |
218 | * @drng DRBG handle -- see crypto_rng_get_bytes | |
219 | * @outbuf output buffer -- see crypto_rng_get_bytes | |
220 | * @outlen length of output buffer -- see crypto_rng_get_bytes | |
221 | * @addtl_input additional information string input buffer | |
222 | * @addtllen length of additional information string buffer | |
223 | * @test_data filled test data | |
224 | * | |
225 | * return | |
226 | * see crypto_rng_get_bytes | |
227 | */ | |
228 | static inline int crypto_drbg_get_bytes_addtl_test(struct crypto_rng *drng, | |
229 | unsigned char *outbuf, unsigned int outlen, | |
230 | struct drbg_string *addtl, | |
231 | struct drbg_test_data *test_data) | |
232 | { | |
233 | int ret; | |
234 | struct drbg_gen genbuf; | |
235 | genbuf.outbuf = outbuf; | |
236 | genbuf.outlen = outlen; | |
237 | genbuf.addtl = addtl; | |
238 | genbuf.test_data = test_data; | |
239 | ret = crypto_rng_get_bytes(drng, (u8 *)&genbuf, 0); | |
240 | return ret; | |
241 | } | |
242 | ||
243 | /* | |
244 | * TEST code | |
245 | * | |
246 | * This is a wrapper to the kernel crypto API function of | |
247 | * crypto_rng_reset() to allow the caller to provide test_data | |
248 | * | |
249 | * @drng DRBG handle -- see crypto_rng_reset | |
250 | * @pers personalization string input buffer | |
251 | * @perslen length of additional information string buffer | |
252 | * @test_data filled test data | |
253 | * | |
254 | * return | |
255 | * see crypto_rng_reset | |
256 | */ | |
257 | static inline int crypto_drbg_reset_test(struct crypto_rng *drng, | |
258 | struct drbg_string *pers, | |
259 | struct drbg_test_data *test_data) | |
260 | { | |
261 | int ret; | |
262 | struct drbg_gen genbuf; | |
263 | genbuf.outbuf = NULL; | |
264 | genbuf.outlen = 0; | |
265 | genbuf.addtl = pers; | |
266 | genbuf.test_data = test_data; | |
267 | ret = crypto_rng_reset(drng, (u8 *)&genbuf, 0); | |
268 | return ret; | |
269 | } | |
270 | ||
271 | /* DRBG type flags */ | |
272 | #define DRBG_CTR ((drbg_flag_t)1<<0) | |
273 | #define DRBG_HMAC ((drbg_flag_t)1<<1) | |
274 | #define DRBG_HASH ((drbg_flag_t)1<<2) | |
275 | #define DRBG_TYPE_MASK (DRBG_CTR | DRBG_HMAC | DRBG_HASH) | |
276 | /* DRBG strength flags */ | |
277 | #define DRBG_STRENGTH128 ((drbg_flag_t)1<<3) | |
278 | #define DRBG_STRENGTH192 ((drbg_flag_t)1<<4) | |
279 | #define DRBG_STRENGTH256 ((drbg_flag_t)1<<5) | |
280 | #define DRBG_STRENGTH_MASK (DRBG_STRENGTH128 | DRBG_STRENGTH192 | \ | |
281 | DRBG_STRENGTH256) | |
282 | ||
283 | enum drbg_prefixes { | |
284 | DRBG_PREFIX0 = 0x00, | |
285 | DRBG_PREFIX1, | |
286 | DRBG_PREFIX2, | |
287 | DRBG_PREFIX3 | |
288 | }; | |
289 | ||
290 | #endif /* _DRBG_H */ |