Blame view

crypto/ansi_cprng.c 9.58 KB
17f0f4a47   Neil Horman   crypto: rng - RNG...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
  /*
   * PRNG: Pseudo Random Number Generator
   *       Based on NIST Recommended PRNG From ANSI X9.31 Appendix A.2.4 using
   *       AES 128 cipher
   *
   *  (C) Neil Horman <nhorman@tuxdriver.com>
   *
   *  This program is free software; you can redistribute it and/or modify it
   *  under the terms of the GNU General Public License as published by the
   *  Free Software Foundation; either version 2 of the License, or (at your
   *  any later version.
   *
   *
   */
  
  #include <crypto/internal/rng.h>
  #include <linux/err.h>
  #include <linux/init.h>
  #include <linux/module.h>
  #include <linux/moduleparam.h>
  #include <linux/string.h>
  
  #include "internal.h"
  
  #define DEFAULT_PRNG_KEY "0123456789abcdef"
  #define DEFAULT_PRNG_KSZ 16
  #define DEFAULT_BLK_SZ 16
  #define DEFAULT_V_SEED "zaybxcwdveuftgsh"
  
  /*
   * Flags for the prng_context flags field
   */
  
  #define PRNG_FIXED_SIZE 0x1
  #define PRNG_NEED_RESET 0x2
  
  /*
   * Note: DT is our counter value
   *	 I is our intermediate value
   *	 V is our seed vector
   * See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
   * for implementation details
   */
  
  
  struct prng_context {
  	spinlock_t prng_lock;
  	unsigned char rand_data[DEFAULT_BLK_SZ];
  	unsigned char last_rand_data[DEFAULT_BLK_SZ];
  	unsigned char DT[DEFAULT_BLK_SZ];
  	unsigned char I[DEFAULT_BLK_SZ];
  	unsigned char V[DEFAULT_BLK_SZ];
  	u32 rand_data_valid;
  	struct crypto_cipher *tfm;
  	u32 flags;
  };
  
  static int dbg;
  
  static void hexdump(char *note, unsigned char *buf, unsigned int len)
  {
  	if (dbg) {
  		printk(KERN_CRIT "%s", note);
  		print_hex_dump(KERN_CONT, "", DUMP_PREFIX_OFFSET,
  				16, 1,
  				buf, len, false);
  	}
  }
  
  #define dbgprint(format, args...) do {\
  if (dbg)\
  	printk(format, ##args);\
  } while (0)
  
  static void xor_vectors(unsigned char *in1, unsigned char *in2,
  			unsigned char *out, unsigned int size)
  {
  	int i;
  
  	for (i = 0; i < size; i++)
  		out[i] = in1[i] ^ in2[i];
  
  }
  /*
   * Returns DEFAULT_BLK_SZ bytes of random data per call
   * returns 0 if generation succeded, <0 if something went wrong
   */
  static int _get_more_prng_bytes(struct prng_context *ctx)
  {
  	int i;
  	unsigned char tmp[DEFAULT_BLK_SZ];
  	unsigned char *output = NULL;
  
  
  	dbgprint(KERN_CRIT "Calling _get_more_prng_bytes for context %p
  ",
  		ctx);
  
  	hexdump("Input DT: ", ctx->DT, DEFAULT_BLK_SZ);
  	hexdump("Input I: ", ctx->I, DEFAULT_BLK_SZ);
  	hexdump("Input V: ", ctx->V, DEFAULT_BLK_SZ);
  
  	/*
  	 * This algorithm is a 3 stage state machine
  	 */
  	for (i = 0; i < 3; i++) {
  
  		switch (i) {
  		case 0:
  			/*
  			 * Start by encrypting the counter value
  			 * This gives us an intermediate value I
  			 */
  			memcpy(tmp, ctx->DT, DEFAULT_BLK_SZ);
  			output = ctx->I;
  			hexdump("tmp stage 0: ", tmp, DEFAULT_BLK_SZ);
  			break;
  		case 1:
  
  			/*
  			 * Next xor I with our secret vector V
  			 * encrypt that result to obtain our
  			 * pseudo random data which we output
  			 */
  			xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ);
  			hexdump("tmp stage 1: ", tmp, DEFAULT_BLK_SZ);
  			output = ctx->rand_data;
  			break;
  		case 2:
  			/*
  			 * First check that we didn't produce the same
  			 * random data that we did last time around through this
  			 */
  			if (!memcmp(ctx->rand_data, ctx->last_rand_data,
  					DEFAULT_BLK_SZ)) {
c5b1e545a   Neil Horman   crypto: ansi_cprn...
136
137
138
139
140
  				if (fips_enabled) {
  					panic("cprng %p Failed repetition check!
  ",
  						ctx);
  				}
17f0f4a47   Neil Horman   crypto: rng - RNG...
141
142
143
144
  				printk(KERN_ERR
  					"ctx %p Failed repetition check!
  ",
  					ctx);
c5b1e545a   Neil Horman   crypto: ansi_cprn...
145

17f0f4a47   Neil Horman   crypto: rng - RNG...
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
  				ctx->flags |= PRNG_NEED_RESET;
  				return -EINVAL;
  			}
  			memcpy(ctx->last_rand_data, ctx->rand_data,
  				DEFAULT_BLK_SZ);
  
  			/*
  			 * Lastly xor the random data with I
  			 * and encrypt that to obtain a new secret vector V
  			 */
  			xor_vectors(ctx->rand_data, ctx->I, tmp,
  				DEFAULT_BLK_SZ);
  			output = ctx->V;
  			hexdump("tmp stage 2: ", tmp, DEFAULT_BLK_SZ);
  			break;
  		}
  
  
  		/* do the encryption */
  		crypto_cipher_encrypt_one(ctx->tfm, output, tmp);
  
  	}
  
  	/*
  	 * Now update our DT value
  	 */
09fbf7c0f   Jarod Wilson   crypto: ansi_cprn...
172
  	for (i = DEFAULT_BLK_SZ - 1; i >= 0; i--) {
17f0f4a47   Neil Horman   crypto: rng - RNG...
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
  		ctx->DT[i] += 1;
  		if (ctx->DT[i] != 0)
  			break;
  	}
  
  	dbgprint("Returning new block for context %p
  ", ctx);
  	ctx->rand_data_valid = 0;
  
  	hexdump("Output DT: ", ctx->DT, DEFAULT_BLK_SZ);
  	hexdump("Output I: ", ctx->I, DEFAULT_BLK_SZ);
  	hexdump("Output V: ", ctx->V, DEFAULT_BLK_SZ);
  	hexdump("New Random Data: ", ctx->rand_data, DEFAULT_BLK_SZ);
  
  	return 0;
  }
  
  /* Our exported functions */
  static int get_prng_bytes(char *buf, size_t nbytes, struct prng_context *ctx)
  {
17f0f4a47   Neil Horman   crypto: rng - RNG...
193
194
195
196
197
198
199
  	unsigned char *ptr = buf;
  	unsigned int byte_count = (unsigned int)nbytes;
  	int err;
  
  
  	if (nbytes < 0)
  		return -EINVAL;
ed9407005   Sebastian Andrzej Siewior   crypto: ansi_prng...
200
  	spin_lock_bh(&ctx->prng_lock);
17f0f4a47   Neil Horman   crypto: rng - RNG...
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
  
  	err = -EINVAL;
  	if (ctx->flags & PRNG_NEED_RESET)
  		goto done;
  
  	/*
  	 * If the FIXED_SIZE flag is on, only return whole blocks of
  	 * pseudo random data
  	 */
  	err = -EINVAL;
  	if (ctx->flags & PRNG_FIXED_SIZE) {
  		if (nbytes < DEFAULT_BLK_SZ)
  			goto done;
  		byte_count = DEFAULT_BLK_SZ;
  	}
  
  	err = byte_count;
  
  	dbgprint(KERN_CRIT "getting %d random bytes for context %p
  ",
  		byte_count, ctx);
  
  
  remainder:
  	if (ctx->rand_data_valid == DEFAULT_BLK_SZ) {
  		if (_get_more_prng_bytes(ctx) < 0) {
  			memset(buf, 0, nbytes);
  			err = -EINVAL;
  			goto done;
  		}
  	}
  
  	/*
aa1a85dbd   Jarod Wilson   crypto: ansi_cprn...
234
  	 * Copy any data less than an entire block
17f0f4a47   Neil Horman   crypto: rng - RNG...
235
236
  	 */
  	if (byte_count < DEFAULT_BLK_SZ) {
aa1a85dbd   Jarod Wilson   crypto: ansi_cprn...
237
  empty_rbuf:
17f0f4a47   Neil Horman   crypto: rng - RNG...
238
239
240
241
242
243
244
245
246
247
248
249
250
251
  		for (; ctx->rand_data_valid < DEFAULT_BLK_SZ;
  			ctx->rand_data_valid++) {
  			*ptr = ctx->rand_data[ctx->rand_data_valid];
  			ptr++;
  			byte_count--;
  			if (byte_count == 0)
  				goto done;
  		}
  	}
  
  	/*
  	 * Now copy whole blocks
  	 */
  	for (; byte_count >= DEFAULT_BLK_SZ; byte_count -= DEFAULT_BLK_SZ) {
aa1a85dbd   Jarod Wilson   crypto: ansi_cprn...
252
253
254
255
256
257
  		if (ctx->rand_data_valid == DEFAULT_BLK_SZ) {
  			if (_get_more_prng_bytes(ctx) < 0) {
  				memset(buf, 0, nbytes);
  				err = -EINVAL;
  				goto done;
  			}
17f0f4a47   Neil Horman   crypto: rng - RNG...
258
  		}
aa1a85dbd   Jarod Wilson   crypto: ansi_cprn...
259
260
  		if (ctx->rand_data_valid > 0)
  			goto empty_rbuf;
17f0f4a47   Neil Horman   crypto: rng - RNG...
261
262
263
264
265
266
  		memcpy(ptr, ctx->rand_data, DEFAULT_BLK_SZ);
  		ctx->rand_data_valid += DEFAULT_BLK_SZ;
  		ptr += DEFAULT_BLK_SZ;
  	}
  
  	/*
aa1a85dbd   Jarod Wilson   crypto: ansi_cprn...
267
  	 * Now go back and get any remaining partial block
17f0f4a47   Neil Horman   crypto: rng - RNG...
268
269
270
271
272
  	 */
  	if (byte_count)
  		goto remainder;
  
  done:
ed9407005   Sebastian Andrzej Siewior   crypto: ansi_prng...
273
  	spin_unlock_bh(&ctx->prng_lock);
17f0f4a47   Neil Horman   crypto: rng - RNG...
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
  	dbgprint(KERN_CRIT "returning %d from get_prng_bytes in context %p
  ",
  		err, ctx);
  	return err;
  }
  
  static void free_prng_context(struct prng_context *ctx)
  {
  	crypto_free_cipher(ctx->tfm);
  }
  
  static int reset_prng_context(struct prng_context *ctx,
  			      unsigned char *key, size_t klen,
  			      unsigned char *V, unsigned char *DT)
  {
  	int ret;
17f0f4a47   Neil Horman   crypto: rng - RNG...
290
  	unsigned char *prng_key;
ed9407005   Sebastian Andrzej Siewior   crypto: ansi_prng...
291
  	spin_lock_bh(&ctx->prng_lock);
17f0f4a47   Neil Horman   crypto: rng - RNG...
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
  	ctx->flags |= PRNG_NEED_RESET;
  
  	prng_key = (key != NULL) ? key : (unsigned char *)DEFAULT_PRNG_KEY;
  
  	if (!key)
  		klen = DEFAULT_PRNG_KSZ;
  
  	if (V)
  		memcpy(ctx->V, V, DEFAULT_BLK_SZ);
  	else
  		memcpy(ctx->V, DEFAULT_V_SEED, DEFAULT_BLK_SZ);
  
  	if (DT)
  		memcpy(ctx->DT, DT, DEFAULT_BLK_SZ);
  	else
  		memset(ctx->DT, 0, DEFAULT_BLK_SZ);
  
  	memset(ctx->rand_data, 0, DEFAULT_BLK_SZ);
  	memset(ctx->last_rand_data, 0, DEFAULT_BLK_SZ);
17f0f4a47   Neil Horman   crypto: rng - RNG...
311
312
313
314
315
316
317
  	ctx->rand_data_valid = DEFAULT_BLK_SZ;
  
  	ret = crypto_cipher_setkey(ctx->tfm, prng_key, klen);
  	if (ret) {
  		dbgprint(KERN_CRIT "PRNG: setkey() failed flags=%x
  ",
  			crypto_cipher_get_flags(ctx->tfm));
17f0f4a47   Neil Horman   crypto: rng - RNG...
318
319
  		goto out;
  	}
fd09d7fac   Sebastian Andrzej Siewior   crypto: ansi_prng...
320
  	ret = 0;
17f0f4a47   Neil Horman   crypto: rng - RNG...
321
322
  	ctx->flags &= ~PRNG_NEED_RESET;
  out:
ed9407005   Sebastian Andrzej Siewior   crypto: ansi_prng...
323
  	spin_unlock_bh(&ctx->prng_lock);
fd09d7fac   Sebastian Andrzej Siewior   crypto: ansi_prng...
324
  	return ret;
17f0f4a47   Neil Horman   crypto: rng - RNG...
325
326
327
328
329
330
331
  }
  
  static int cprng_init(struct crypto_tfm *tfm)
  {
  	struct prng_context *ctx = crypto_tfm_ctx(tfm);
  
  	spin_lock_init(&ctx->prng_lock);
fd09d7fac   Sebastian Andrzej Siewior   crypto: ansi_prng...
332
333
334
335
336
337
338
  	ctx->tfm = crypto_alloc_cipher("aes", 0, 0);
  	if (IS_ERR(ctx->tfm)) {
  		dbgprint(KERN_CRIT "Failed to alloc tfm for context %p
  ",
  				ctx);
  		return PTR_ERR(ctx->tfm);
  	}
17f0f4a47   Neil Horman   crypto: rng - RNG...
339

d7992f42c   Neil Horman   crypto: ansi_cprn...
340
341
342
343
344
345
346
347
348
349
  	if (reset_prng_context(ctx, NULL, DEFAULT_PRNG_KSZ, NULL, NULL) < 0)
  		return -EINVAL;
  
  	/*
  	 * after allocation, we should always force the user to reset
  	 * so they don't inadvertently use the insecure default values
  	 * without specifying them intentially
  	 */
  	ctx->flags |= PRNG_NEED_RESET;
  	return 0;
17f0f4a47   Neil Horman   crypto: rng - RNG...
350
351
352
353
354
355
356
357
358
359
360
361
362
363
  }
  
  static void cprng_exit(struct crypto_tfm *tfm)
  {
  	free_prng_context(crypto_tfm_ctx(tfm));
  }
  
  static int cprng_get_random(struct crypto_rng *tfm, u8 *rdata,
  			    unsigned int dlen)
  {
  	struct prng_context *prng = crypto_rng_ctx(tfm);
  
  	return get_prng_bytes(rdata, dlen, prng);
  }
2566578a6   Neil Horman   crypto: ansi_cprn...
364
365
366
367
368
369
  /*
   *  This is the cprng_registered reset method the seed value is
   *  interpreted as the tuple { V KEY DT}
   *  V and KEY are required during reset, and DT is optional, detected
   *  as being present by testing the length of the seed
   */
17f0f4a47   Neil Horman   crypto: rng - RNG...
370
371
372
  static int cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
  {
  	struct prng_context *prng = crypto_rng_ctx(tfm);
2566578a6   Neil Horman   crypto: ansi_cprn...
373
374
  	u8 *key = seed + DEFAULT_BLK_SZ;
  	u8 *dt = NULL;
17f0f4a47   Neil Horman   crypto: rng - RNG...
375
376
377
  
  	if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ)
  		return -EINVAL;
2566578a6   Neil Horman   crypto: ansi_cprn...
378
379
380
381
  	if (slen >= (2 * DEFAULT_BLK_SZ + DEFAULT_PRNG_KSZ))
  		dt = key + DEFAULT_PRNG_KSZ;
  
  	reset_prng_context(prng, key, DEFAULT_PRNG_KSZ, seed, dt);
17f0f4a47   Neil Horman   crypto: rng - RNG...
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
  
  	if (prng->flags & PRNG_NEED_RESET)
  		return -EINVAL;
  	return 0;
  }
  
  static struct crypto_alg rng_alg = {
  	.cra_name		= "stdrng",
  	.cra_driver_name	= "ansi_cprng",
  	.cra_priority		= 100,
  	.cra_flags		= CRYPTO_ALG_TYPE_RNG,
  	.cra_ctxsize		= sizeof(struct prng_context),
  	.cra_type		= &crypto_rng_type,
  	.cra_module		= THIS_MODULE,
  	.cra_list		= LIST_HEAD_INIT(rng_alg.cra_list),
  	.cra_init		= cprng_init,
  	.cra_exit		= cprng_exit,
  	.cra_u			= {
  		.rng = {
  			.rng_make_random	= cprng_get_random,
  			.rng_reset		= cprng_reset,
2566578a6   Neil Horman   crypto: ansi_cprn...
403
  			.seedsize = DEFAULT_PRNG_KSZ + 2*DEFAULT_BLK_SZ,
17f0f4a47   Neil Horman   crypto: rng - RNG...
404
405
406
407
408
409
410
411
  		}
  	}
  };
  
  
  /* Module initalization */
  static int __init prng_mod_init(void)
  {
17f0f4a47   Neil Horman   crypto: rng - RNG...
412
413
  	if (fips_enabled)
  		rng_alg.cra_priority += 200;
a367b17f3   Steffen Klassert   crypto: ansi_cprn...
414
  	return crypto_register_alg(&rng_alg);
17f0f4a47   Neil Horman   crypto: rng - RNG...
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
  }
  
  static void __exit prng_mod_fini(void)
  {
  	crypto_unregister_alg(&rng_alg);
  	return;
  }
  
  MODULE_LICENSE("GPL");
  MODULE_DESCRIPTION("Software Pseudo Random Number Generator");
  MODULE_AUTHOR("Neil Horman <nhorman@tuxdriver.com>");
  module_param(dbg, int, 0);
  MODULE_PARM_DESC(dbg, "Boolean to enable debugging (0/1 == off/on)");
  module_init(prng_mod_init);
  module_exit(prng_mod_fini);
  MODULE_ALIAS("stdrng");