]>
Commit | Line | Data |
---|---|---|
3e16f959 SM |
1 | /* |
2 | * DRBG based on NIST SP800-90A | |
3 | * | |
4 | * Copyright Stephan Mueller <smueller@chronox.de>, 2014 | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, and the entire permission notice in its entirety, | |
11 | * including the disclaimer of warranties. | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | |
15 | * 3. The name of the author may not be used to endorse or promote | |
16 | * products derived from this software without specific prior | |
17 | * written permission. | |
18 | * | |
19 | * ALTERNATIVELY, this product may be distributed under the terms of | |
20 | * the GNU General Public License, in which case the provisions of the GPL are | |
21 | * required INSTEAD OF the above restrictions. (This clause is | |
22 | * necessary due to a potential bad interaction between the GPL and | |
23 | * the restrictions contained in a BSD-style copyright.) | |
24 | * | |
25 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED | |
26 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
27 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF | |
28 | * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE | |
29 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
30 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT | |
31 | * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | |
32 | * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | |
33 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
34 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE | |
35 | * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH | |
36 | * DAMAGE. | |
37 | */ | |
38 | ||
39 | #ifndef _DRBG_H | |
40 | #define _DRBG_H | |
41 | ||
42 | ||
43 | #include <linux/random.h> | |
44 | #include <linux/scatterlist.h> | |
45 | #include <crypto/hash.h> | |
46 | #include <linux/module.h> | |
47 | #include <linux/crypto.h> | |
48 | #include <linux/slab.h> | |
49 | #include <crypto/internal/rng.h> | |
50 | #include <crypto/rng.h> | |
51 | #include <linux/fips.h> | |
52 | #include <linux/spinlock.h> | |
8c987166 | 53 | #include <linux/list.h> |
3e16f959 SM |
54 | |
55 | /* | |
56 | * Concatenation Helper and string operation helper | |
57 | * | |
58 | * SP800-90A requires the concatenation of different data. To avoid copying | |
59 | * buffers around or allocate additional memory, the following data structure | |
60 | * is used to point to the original memory with its size. In addition, it | |
61 | * is used to build a linked list. The linked list defines the concatenation | |
62 | * of individual buffers. The order of memory block referenced in that | |
63 | * linked list determines the order of concatenation. | |
64 | */ | |
65 | struct drbg_string { | |
66 | const unsigned char *buf; | |
67 | size_t len; | |
8c987166 | 68 | struct list_head list; |
3e16f959 SM |
69 | }; |
70 | ||
71 | static inline void drbg_string_fill(struct drbg_string *string, | |
72 | const unsigned char *buf, size_t len) | |
73 | { | |
74 | string->buf = buf; | |
75 | string->len = len; | |
8c987166 | 76 | INIT_LIST_HEAD(&string->list); |
3e16f959 SM |
77 | } |
78 | ||
79 | struct drbg_state; | |
80 | typedef uint32_t drbg_flag_t; | |
81 | ||
82 | struct drbg_core { | |
83 | drbg_flag_t flags; /* flags for the cipher */ | |
84 | __u8 statelen; /* maximum state length */ | |
3e16f959 SM |
85 | __u8 blocklen_bytes; /* block size of output in bytes */ |
86 | char cra_name[CRYPTO_MAX_ALG_NAME]; /* mapping to kernel crypto API */ | |
87 | /* kernel crypto API backend cipher name */ | |
88 | char backend_cra_name[CRYPTO_MAX_ALG_NAME]; | |
89 | }; | |
90 | ||
91 | struct drbg_state_ops { | |
8c987166 | 92 | int (*update)(struct drbg_state *drbg, struct list_head *seed, |
3e16f959 SM |
93 | int reseed); |
94 | int (*generate)(struct drbg_state *drbg, | |
95 | unsigned char *buf, unsigned int buflen, | |
27e4de2b | 96 | struct list_head *addtl); |
3e16f959 SM |
97 | int (*crypto_init)(struct drbg_state *drbg); |
98 | int (*crypto_fini)(struct drbg_state *drbg); | |
99 | ||
100 | }; | |
101 | ||
102 | struct drbg_test_data { | |
103 | struct drbg_string *testentropy; /* TEST PARAMETER: test entropy */ | |
104 | }; | |
105 | ||
106 | struct drbg_state { | |
107 | spinlock_t drbg_lock; /* lock around DRBG */ | |
108 | unsigned char *V; /* internal state 10.1.1.1 1a) */ | |
109 | /* hash: static value 10.1.1.1 1b) hmac / ctr: key */ | |
110 | unsigned char *C; | |
111 | /* Number of RNG requests since last reseed -- 10.1.1.1 1c) */ | |
112 | size_t reseed_ctr; | |
113 | /* some memory the DRBG can use for its operation */ | |
114 | unsigned char *scratchpad; | |
115 | void *priv_data; /* Cipher handle */ | |
116 | bool seeded; /* DRBG fully seeded? */ | |
117 | bool pr; /* Prediction resistance enabled? */ | |
118 | #ifdef CONFIG_CRYPTO_FIPS | |
119 | bool fips_primed; /* Continuous test primed? */ | |
120 | unsigned char *prev; /* FIPS 140-2 continuous test value */ | |
121 | #endif | |
122 | const struct drbg_state_ops *d_ops; | |
123 | const struct drbg_core *core; | |
124 | struct drbg_test_data *test_data; | |
125 | }; | |
126 | ||
127 | static inline __u8 drbg_statelen(struct drbg_state *drbg) | |
128 | { | |
129 | if (drbg && drbg->core) | |
130 | return drbg->core->statelen; | |
131 | return 0; | |
132 | } | |
133 | ||
134 | static inline __u8 drbg_blocklen(struct drbg_state *drbg) | |
135 | { | |
136 | if (drbg && drbg->core) | |
137 | return drbg->core->blocklen_bytes; | |
138 | return 0; | |
139 | } | |
140 | ||
141 | static inline __u8 drbg_keylen(struct drbg_state *drbg) | |
142 | { | |
143 | if (drbg && drbg->core) | |
144 | return (drbg->core->statelen - drbg->core->blocklen_bytes); | |
145 | return 0; | |
146 | } | |
147 | ||
148 | static inline size_t drbg_max_request_bytes(struct drbg_state *drbg) | |
149 | { | |
05c81ccd SM |
150 | /* SP800-90A requires the limit 2**19 bits, but we return bytes */ |
151 | return (1 << 16); | |
3e16f959 SM |
152 | } |
153 | ||
154 | static inline size_t drbg_max_addtl(struct drbg_state *drbg) | |
155 | { | |
05c81ccd SM |
156 | /* SP800-90A requires 2**35 bytes additional info str / pers str */ |
157 | return (1UL<<35); | |
3e16f959 SM |
158 | } |
159 | ||
160 | static inline size_t drbg_max_requests(struct drbg_state *drbg) | |
161 | { | |
05c81ccd SM |
162 | /* SP800-90A requires 2**48 maximum requests before reseeding */ |
163 | return (1UL<<48); | |
3e16f959 SM |
164 | } |
165 | ||
166 | /* | |
167 | * kernel crypto API input data structure for DRBG generate in case dlen | |
168 | * is set to 0 | |
169 | */ | |
170 | struct drbg_gen { | |
171 | unsigned char *outbuf; /* output buffer for random numbers */ | |
172 | unsigned int outlen; /* size of output buffer */ | |
173 | struct drbg_string *addtl; /* additional information string */ | |
174 | struct drbg_test_data *test_data; /* test data */ | |
175 | }; | |
176 | ||
177 | /* | |
178 | * This is a wrapper to the kernel crypto API function of | |
179 | * crypto_rng_get_bytes() to allow the caller to provide additional data. | |
180 | * | |
181 | * @drng DRBG handle -- see crypto_rng_get_bytes | |
182 | * @outbuf output buffer -- see crypto_rng_get_bytes | |
183 | * @outlen length of output buffer -- see crypto_rng_get_bytes | |
184 | * @addtl_input additional information string input buffer | |
185 | * @addtllen length of additional information string buffer | |
186 | * | |
187 | * return | |
188 | * see crypto_rng_get_bytes | |
189 | */ | |
190 | static inline int crypto_drbg_get_bytes_addtl(struct crypto_rng *drng, | |
191 | unsigned char *outbuf, unsigned int outlen, | |
192 | struct drbg_string *addtl) | |
193 | { | |
194 | int ret; | |
195 | struct drbg_gen genbuf; | |
196 | genbuf.outbuf = outbuf; | |
197 | genbuf.outlen = outlen; | |
198 | genbuf.addtl = addtl; | |
199 | genbuf.test_data = NULL; | |
200 | ret = crypto_rng_get_bytes(drng, (u8 *)&genbuf, 0); | |
201 | return ret; | |
202 | } | |
203 | ||
204 | /* | |
205 | * TEST code | |
206 | * | |
207 | * This is a wrapper to the kernel crypto API function of | |
208 | * crypto_rng_get_bytes() to allow the caller to provide additional data and | |
209 | * allow furnishing of test_data | |
210 | * | |
211 | * @drng DRBG handle -- see crypto_rng_get_bytes | |
212 | * @outbuf output buffer -- see crypto_rng_get_bytes | |
213 | * @outlen length of output buffer -- see crypto_rng_get_bytes | |
214 | * @addtl_input additional information string input buffer | |
215 | * @addtllen length of additional information string buffer | |
216 | * @test_data filled test data | |
217 | * | |
218 | * return | |
219 | * see crypto_rng_get_bytes | |
220 | */ | |
221 | static inline int crypto_drbg_get_bytes_addtl_test(struct crypto_rng *drng, | |
222 | unsigned char *outbuf, unsigned int outlen, | |
223 | struct drbg_string *addtl, | |
224 | struct drbg_test_data *test_data) | |
225 | { | |
226 | int ret; | |
227 | struct drbg_gen genbuf; | |
228 | genbuf.outbuf = outbuf; | |
229 | genbuf.outlen = outlen; | |
230 | genbuf.addtl = addtl; | |
231 | genbuf.test_data = test_data; | |
232 | ret = crypto_rng_get_bytes(drng, (u8 *)&genbuf, 0); | |
233 | return ret; | |
234 | } | |
235 | ||
236 | /* | |
237 | * TEST code | |
238 | * | |
239 | * This is a wrapper to the kernel crypto API function of | |
240 | * crypto_rng_reset() to allow the caller to provide test_data | |
241 | * | |
242 | * @drng DRBG handle -- see crypto_rng_reset | |
243 | * @pers personalization string input buffer | |
244 | * @perslen length of additional information string buffer | |
245 | * @test_data filled test data | |
246 | * | |
247 | * return | |
248 | * see crypto_rng_reset | |
249 | */ | |
250 | static inline int crypto_drbg_reset_test(struct crypto_rng *drng, | |
251 | struct drbg_string *pers, | |
252 | struct drbg_test_data *test_data) | |
253 | { | |
254 | int ret; | |
255 | struct drbg_gen genbuf; | |
256 | genbuf.outbuf = NULL; | |
257 | genbuf.outlen = 0; | |
258 | genbuf.addtl = pers; | |
259 | genbuf.test_data = test_data; | |
260 | ret = crypto_rng_reset(drng, (u8 *)&genbuf, 0); | |
261 | return ret; | |
262 | } | |
263 | ||
264 | /* DRBG type flags */ | |
265 | #define DRBG_CTR ((drbg_flag_t)1<<0) | |
266 | #define DRBG_HMAC ((drbg_flag_t)1<<1) | |
267 | #define DRBG_HASH ((drbg_flag_t)1<<2) | |
268 | #define DRBG_TYPE_MASK (DRBG_CTR | DRBG_HMAC | DRBG_HASH) | |
269 | /* DRBG strength flags */ | |
270 | #define DRBG_STRENGTH128 ((drbg_flag_t)1<<3) | |
271 | #define DRBG_STRENGTH192 ((drbg_flag_t)1<<4) | |
272 | #define DRBG_STRENGTH256 ((drbg_flag_t)1<<5) | |
273 | #define DRBG_STRENGTH_MASK (DRBG_STRENGTH128 | DRBG_STRENGTH192 | \ | |
274 | DRBG_STRENGTH256) | |
275 | ||
276 | enum drbg_prefixes { | |
277 | DRBG_PREFIX0 = 0x00, | |
278 | DRBG_PREFIX1, | |
279 | DRBG_PREFIX2, | |
280 | DRBG_PREFIX3 | |
281 | }; | |
282 | ||
283 | #endif /* _DRBG_H */ |