include/crypto/drbg.h

0001 /*
0002  * DRBG based on NIST SP800-90A
0003  *
0004  * Copyright Stephan Mueller <smueller@chronox.de>, 2014
0005  *
0006  * Redistribution and use in source and binary forms, with or without
0007  * modification, are permitted provided that the following conditions
0008  * are met:
0009  * 1. Redistributions of source code must retain the above copyright
0010  *    notice, and the entire permission notice in its entirety,
0011  *    including the disclaimer of warranties.
0012  * 2. Redistributions in binary form must reproduce the above copyright
0013  *    notice, this list of conditions and the following disclaimer in the
0014  *    documentation and/or other materials provided with the distribution.
0015  * 3. The name of the author may not be used to endorse or promote
0016  *    products derived from this software without specific prior
0017  *    written permission.
0018  *
0019  * ALTERNATIVELY, this product may be distributed under the terms of
0020  * the GNU General Public License, in which case the provisions of the GPL are
0021  * required INSTEAD OF the above restrictions.  (This clause is
0022  * necessary due to a potential bad interaction between the GPL and
0023  * the restrictions contained in a BSD-style copyright.)
0024  *
0025  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
0026  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
0027  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
0028  * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
0029  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
0030  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
0031  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
0032  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
0033  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
0034  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
0035  * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
0036  * DAMAGE.
0037  */
0038
0039 #ifndef _DRBG_H
0040 #define _DRBG_H
0041
0042
0043 #include <linux/random.h>
0044 #include <linux/scatterlist.h>
0045 #include <crypto/hash.h>
0046 #include <crypto/skcipher.h>
0047 #include <linux/module.h>
0048 #include <linux/crypto.h>
0049 #include <linux/slab.h>
0050 #include <crypto/internal/rng.h>
0051 #include <crypto/rng.h>
0052 #include <linux/fips.h>
0053 #include <linux/mutex.h>
0054 #include <linux/list.h>
0055 #include <linux/workqueue.h>
0056
0057 /*
0058  * Concatenation Helper and string operation helper
0059  *
0060  * SP800-90A requires the concatenation of different data. To avoid copying
0061  * buffers around or allocate additional memory, the following data structure
0062  * is used to point to the original memory with its size. In addition, it
0063  * is used to build a linked list. The linked list defines the concatenation
0064  * of individual buffers. The order of memory block referenced in that
0065  * linked list determines the order of concatenation.
0066  */
0067 struct drbg_string {
0068     const unsigned char *buf;
0069     size_t len;
0070     struct list_head list;
0071 };
0072
0073 static inline void drbg_string_fill(struct drbg_string *string,
0074                     const unsigned char *buf, size_t len)
0075 {
0076     string->buf = buf;
0077     string->len = len;
0078     INIT_LIST_HEAD(&string->list);
0079 }
0080
0081 struct drbg_state;
0082 typedef uint32_t drbg_flag_t;
0083
0084 struct drbg_core {
0085     drbg_flag_t flags;  /* flags for the cipher */
0086     __u8 statelen;      /* maximum state length */
0087     __u8 blocklen_bytes;    /* block size of output in bytes */
0088     char cra_name[CRYPTO_MAX_ALG_NAME]; /* mapping to kernel crypto API */
0089      /* kernel crypto API backend cipher name */
0090     char backend_cra_name[CRYPTO_MAX_ALG_NAME];
0091 };
0092
0093 struct drbg_state_ops {
0094     int (*update)(struct drbg_state *drbg, struct list_head *seed,
0095               int reseed);
0096     int (*generate)(struct drbg_state *drbg,
0097             unsigned char *buf, unsigned int buflen,
0098             struct list_head *addtl);
0099     int (*crypto_init)(struct drbg_state *drbg);
0100     int (*crypto_fini)(struct drbg_state *drbg);
0101
0102 };
0103
0104 struct drbg_test_data {
0105     struct drbg_string *testentropy; /* TEST PARAMETER: test entropy */
0106 };
0107
0108 enum drbg_seed_state {
0109     DRBG_SEED_STATE_UNSEEDED,
0110     DRBG_SEED_STATE_PARTIAL, /* Seeded with !rng_is_initialized() */
0111     DRBG_SEED_STATE_FULL,
0112 };
0113
0114 struct drbg_state {
0115     struct mutex drbg_mutex;    /* lock around DRBG */
0116     unsigned char *V;   /* internal state 10.1.1.1 1a) */
0117     unsigned char *Vbuf;
0118     /* hash: static value 10.1.1.1 1b) hmac / ctr: key */
0119     unsigned char *C;
0120     unsigned char *Cbuf;
0121     /* Number of RNG requests since last reseed -- 10.1.1.1 1c) */
0122     size_t reseed_ctr;
0123     size_t reseed_threshold;
0124      /* some memory the DRBG can use for its operation */
0125     unsigned char *scratchpad;
0126     unsigned char *scratchpadbuf;
0127     void *priv_data;    /* Cipher handle */
0128
0129     struct crypto_skcipher *ctr_handle; /* CTR mode cipher handle */
0130     struct skcipher_request *ctr_req;   /* CTR mode request handle */
0131     __u8 *outscratchpadbuf;         /* CTR mode output scratchpad */
0132         __u8 *outscratchpad;            /* CTR mode aligned outbuf */
0133     struct crypto_wait ctr_wait;        /* CTR mode async wait obj */
0134     struct scatterlist sg_in, sg_out;   /* CTR mode SGLs */
0135
0136     enum drbg_seed_state seeded;        /* DRBG fully seeded? */
0137     unsigned long last_seed_time;
0138     bool pr;        /* Prediction resistance enabled? */
0139     bool fips_primed;   /* Continuous test primed? */
0140     unsigned char *prev;    /* FIPS 140-2 continuous test value */
0141     struct crypto_rng *jent;
0142     const struct drbg_state_ops *d_ops;
0143     const struct drbg_core *core;
0144     struct drbg_string test_data;
0145 };
0146
0147 static inline __u8 drbg_statelen(struct drbg_state *drbg)
0148 {
0149     if (drbg && drbg->core)
0150         return drbg->core->statelen;
0151     return 0;
0152 }
0153
0154 static inline __u8 drbg_blocklen(struct drbg_state *drbg)
0155 {
0156     if (drbg && drbg->core)
0157         return drbg->core->blocklen_bytes;
0158     return 0;
0159 }
0160
0161 static inline __u8 drbg_keylen(struct drbg_state *drbg)
0162 {
0163     if (drbg && drbg->core)
0164         return (drbg->core->statelen - drbg->core->blocklen_bytes);
0165     return 0;
0166 }
0167
0168 static inline size_t drbg_max_request_bytes(struct drbg_state *drbg)
0169 {
0170     /* SP800-90A requires the limit 2**19 bits, but we return bytes */
0171     return (1 << 16);
0172 }
0173
0174 static inline size_t drbg_max_addtl(struct drbg_state *drbg)
0175 {
0176     /* SP800-90A requires 2**35 bytes additional info str / pers str */
0177 #if (__BITS_PER_LONG == 32)
0178     /*
0179      * SP800-90A allows smaller maximum numbers to be returned -- we
0180      * return SIZE_MAX - 1 to allow the verification of the enforcement
0181      * of this value in drbg_healthcheck_sanity.
0182      */
0183     return (SIZE_MAX - 1);
0184 #else
0185     return (1UL<<35);
0186 #endif
0187 }
0188
0189 static inline size_t drbg_max_requests(struct drbg_state *drbg)
0190 {
0191     /* SP800-90A requires 2**48 maximum requests before reseeding */
0192     return (1<<20);
0193 }
0194
0195 /*
0196  * This is a wrapper to the kernel crypto API function of
0197  * crypto_rng_generate() to allow the caller to provide additional data.
0198  *
0199  * @drng DRBG handle -- see crypto_rng_get_bytes
0200  * @outbuf output buffer -- see crypto_rng_get_bytes
0201  * @outlen length of output buffer -- see crypto_rng_get_bytes
0202  * @addtl_input additional information string input buffer
0203  * @addtllen length of additional information string buffer
0204  *
0205  * return
0206  *  see crypto_rng_get_bytes
0207  */
0208 static inline int crypto_drbg_get_bytes_addtl(struct crypto_rng *drng,
0209             unsigned char *outbuf, unsigned int outlen,
0210             struct drbg_string *addtl)
0211 {
0212     return crypto_rng_generate(drng, addtl->buf, addtl->len,
0213                    outbuf, outlen);
0214 }
0215
0216 /*
0217  * TEST code
0218  *
0219  * This is a wrapper to the kernel crypto API function of
0220  * crypto_rng_generate() to allow the caller to provide additional data and
0221  * allow furnishing of test_data
0222  *
0223  * @drng DRBG handle -- see crypto_rng_get_bytes
0224  * @outbuf output buffer -- see crypto_rng_get_bytes
0225  * @outlen length of output buffer -- see crypto_rng_get_bytes
0226  * @addtl_input additional information string input buffer
0227  * @addtllen length of additional information string buffer
0228  * @test_data filled test data
0229  *
0230  * return
0231  *  see crypto_rng_get_bytes
0232  */
0233 static inline int crypto_drbg_get_bytes_addtl_test(struct crypto_rng *drng,
0234             unsigned char *outbuf, unsigned int outlen,
0235             struct drbg_string *addtl,
0236             struct drbg_test_data *test_data)
0237 {
0238     crypto_rng_set_entropy(drng, test_data->testentropy->buf,
0239                    test_data->testentropy->len);
0240     return crypto_rng_generate(drng, addtl->buf, addtl->len,
0241                    outbuf, outlen);
0242 }
0243
0244 /*
0245  * TEST code
0246  *
0247  * This is a wrapper to the kernel crypto API function of
0248  * crypto_rng_reset() to allow the caller to provide test_data
0249  *
0250  * @drng DRBG handle -- see crypto_rng_reset
0251  * @pers personalization string input buffer
0252  * @perslen length of additional information string buffer
0253  * @test_data filled test data
0254  *
0255  * return
0256  *  see crypto_rng_reset
0257  */
0258 static inline int crypto_drbg_reset_test(struct crypto_rng *drng,
0259                      struct drbg_string *pers,
0260                      struct drbg_test_data *test_data)
0261 {
0262     crypto_rng_set_entropy(drng, test_data->testentropy->buf,
0263                    test_data->testentropy->len);
0264     return crypto_rng_reset(drng, pers->buf, pers->len);
0265 }
0266
0267 /* DRBG type flags */
0268 #define DRBG_CTR    ((drbg_flag_t)1<<0)
0269 #define DRBG_HMAC   ((drbg_flag_t)1<<1)
0270 #define DRBG_HASH   ((drbg_flag_t)1<<2)
0271 #define DRBG_TYPE_MASK  (DRBG_CTR | DRBG_HMAC | DRBG_HASH)
0272 /* DRBG strength flags */
0273 #define DRBG_STRENGTH128    ((drbg_flag_t)1<<3)
0274 #define DRBG_STRENGTH192    ((drbg_flag_t)1<<4)
0275 #define DRBG_STRENGTH256    ((drbg_flag_t)1<<5)
0276 #define DRBG_STRENGTH_MASK  (DRBG_STRENGTH128 | DRBG_STRENGTH192 | \
0277                  DRBG_STRENGTH256)
0278
0279 enum drbg_prefixes {
0280     DRBG_PREFIX0 = 0x00,
0281     DRBG_PREFIX1,
0282     DRBG_PREFIX2,
0283     DRBG_PREFIX3
0284 };
0285
0286 #endif /* _DRBG_H */