Commit b8454eebe380677789735fd6bad368af2e6b2d1e
Committed by
Herbert Xu
1 parent
166247f46a
Exists in
master
and in
4 other branches
crypto: prng - Deterministic CPRNG
This patch adds a cryptographic pseudo-random number generator based on CTR(AES-128). It is meant to be used in cases where a deterministic CPRNG is required. One of the first applications will be as an input in the IPsec IV generation process. Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Showing 4 changed files with 447 additions and 1 deletions Side-by-side Diff
crypto/Kconfig
... | ... | @@ -666,6 +666,15 @@ |
666 | 666 | help |
667 | 667 | This is the LZO algorithm. |
668 | 668 | |
669 | +comment "Random Number Generation" | |
670 | + | |
671 | +config CRYPTO_PRNG | |
672 | + tristate "Pseudo Random Number Generation for Cryptographic modules" | |
673 | + help | |
674 | + This option enables the generic pseudo random number generator | |
675 | + for cryptographic modules. Uses the Algorithm specified in | |
676 | + ANSI X9.31 A.2.4 | |
677 | + | |
669 | 678 | source "drivers/crypto/Kconfig" |
670 | 679 | |
671 | 680 | endif # if CRYPTO |
crypto/Makefile
crypto/prng.c
1 | +/* | |
2 | + * PRNG: Pseudo Random Number Generator | |
3 | + * Based on NIST Recommended PRNG From ANSI X9.31 Appendix A.2.4 using | |
4 | + * AES 128 cipher in RFC3686 ctr mode | |
5 | + * | |
6 | + * (C) Neil Horman <nhorman@tuxdriver.com> | |
7 | + * | |
8 | + * This program is free software; you can redistribute it and/or modify it | |
9 | + * under the terms of the GNU General Public License as published by the | |
10 | + * Free Software Foundation; either version 2 of the License, or (at your | |
11 | + * any later version. | |
12 | + * | |
13 | + * | |
14 | + */ | |
15 | + | |
16 | +#include <linux/err.h> | |
17 | +#include <linux/init.h> | |
18 | +#include <linux/module.h> | |
19 | +#include <linux/mm.h> | |
20 | +#include <linux/slab.h> | |
21 | +#include <linux/fs.h> | |
22 | +#include <linux/scatterlist.h> | |
23 | +#include <linux/string.h> | |
24 | +#include <linux/crypto.h> | |
25 | +#include <linux/highmem.h> | |
26 | +#include <linux/moduleparam.h> | |
27 | +#include <linux/jiffies.h> | |
28 | +#include <linux/timex.h> | |
29 | +#include <linux/interrupt.h> | |
30 | +#include <linux/miscdevice.h> | |
31 | +#include "prng.h" | |
32 | + | |
33 | +#define TEST_PRNG_ON_START 0 | |
34 | + | |
35 | +#define DEFAULT_PRNG_KEY "0123456789abcdef1011" | |
36 | +#define DEFAULT_PRNG_KSZ 20 | |
37 | +#define DEFAULT_PRNG_IV "defaultv" | |
38 | +#define DEFAULT_PRNG_IVSZ 8 | |
39 | +#define DEFAULT_BLK_SZ 16 | |
40 | +#define DEFAULT_V_SEED "zaybxcwdveuftgsh" | |
41 | + | |
42 | +/* | |
43 | + * Flags for the prng_context flags field | |
44 | + */ | |
45 | + | |
46 | +#define PRNG_FIXED_SIZE 0x1 | |
47 | +#define PRNG_NEED_RESET 0x2 | |
48 | + | |
49 | +/* | |
50 | + * Note: DT is our counter value | |
51 | + * I is our intermediate value | |
52 | + * V is our seed vector | |
53 | + * See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf | |
54 | + * for implementation details | |
55 | + */ | |
56 | + | |
57 | + | |
58 | +struct prng_context { | |
59 | + char *prng_key; | |
60 | + char *prng_iv; | |
61 | + spinlock_t prng_lock; | |
62 | + unsigned char rand_data[DEFAULT_BLK_SZ]; | |
63 | + unsigned char last_rand_data[DEFAULT_BLK_SZ]; | |
64 | + unsigned char DT[DEFAULT_BLK_SZ]; | |
65 | + unsigned char I[DEFAULT_BLK_SZ]; | |
66 | + unsigned char V[DEFAULT_BLK_SZ]; | |
67 | + u32 rand_data_valid; | |
68 | + struct crypto_blkcipher *tfm; | |
69 | + u32 flags; | |
70 | +}; | |
71 | + | |
72 | +static int dbg; | |
73 | + | |
74 | +static void hexdump(char *note, unsigned char *buf, unsigned int len) | |
75 | +{ | |
76 | + if (dbg) { | |
77 | + printk(KERN_CRIT "%s", note); | |
78 | + print_hex_dump(KERN_CONT, "", DUMP_PREFIX_OFFSET, | |
79 | + 16, 1, | |
80 | + buf, len, false); | |
81 | + } | |
82 | +} | |
83 | + | |
84 | +#define dbgprint(format, args...) do {if(dbg) printk(format, ##args);} while(0) | |
85 | + | |
86 | +static void xor_vectors(unsigned char *in1, unsigned char *in2, | |
87 | + unsigned char *out, unsigned int size) | |
88 | +{ | |
89 | + int i; | |
90 | + | |
91 | + for (i=0;i<size;i++) | |
92 | + out[i] = in1[i] ^ in2[i]; | |
93 | + | |
94 | +} | |
95 | +/* | |
96 | + * Returns DEFAULT_BLK_SZ bytes of random data per call | |
97 | + * returns 0 if generation succeded, <0 if something went wrong | |
98 | + */ | |
99 | +static int _get_more_prng_bytes(struct prng_context *ctx) | |
100 | +{ | |
101 | + int i; | |
102 | + struct blkcipher_desc desc; | |
103 | + struct scatterlist sg_in, sg_out; | |
104 | + int ret; | |
105 | + unsigned char tmp[DEFAULT_BLK_SZ]; | |
106 | + | |
107 | + desc.tfm = ctx->tfm; | |
108 | + desc.flags = 0; | |
109 | + | |
110 | + | |
111 | + dbgprint(KERN_CRIT "Calling _get_more_prng_bytes for context %p\n",ctx); | |
112 | + | |
113 | + hexdump("Input DT: ", ctx->DT, DEFAULT_BLK_SZ); | |
114 | + hexdump("Input I: ", ctx->I, DEFAULT_BLK_SZ); | |
115 | + hexdump("Input V: ", ctx->V, DEFAULT_BLK_SZ); | |
116 | + | |
117 | + /* | |
118 | + * This algorithm is a 3 stage state machine | |
119 | + */ | |
120 | + for (i=0;i<3;i++) { | |
121 | + | |
122 | + desc.tfm = ctx->tfm; | |
123 | + desc.flags = 0; | |
124 | + switch (i) { | |
125 | + case 0: | |
126 | + /* | |
127 | + * Start by encrypting the counter value | |
128 | + * This gives us an intermediate value I | |
129 | + */ | |
130 | + memcpy(tmp, ctx->DT, DEFAULT_BLK_SZ); | |
131 | + sg_init_one(&sg_out, &ctx->I[0], DEFAULT_BLK_SZ); | |
132 | + hexdump("tmp stage 0: ", tmp, DEFAULT_BLK_SZ); | |
133 | + break; | |
134 | + case 1: | |
135 | + | |
136 | + /* | |
137 | + * Next xor I with our secret vector V | |
138 | + * encrypt that result to obtain our | |
139 | + * pseudo random data which we output | |
140 | + */ | |
141 | + xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ); | |
142 | + sg_init_one(&sg_out, &ctx->rand_data[0], DEFAULT_BLK_SZ); | |
143 | + hexdump("tmp stage 1: ", tmp, DEFAULT_BLK_SZ); | |
144 | + break; | |
145 | + case 2: | |
146 | + /* | |
147 | + * First check that we didn't produce the same random data | |
148 | + * that we did last time around through this | |
149 | + */ | |
150 | + if (!memcmp(ctx->rand_data, ctx->last_rand_data, DEFAULT_BLK_SZ)) { | |
151 | + printk(KERN_ERR "ctx %p Failed repetition check!\n", | |
152 | + ctx); | |
153 | + ctx->flags |= PRNG_NEED_RESET; | |
154 | + return -1; | |
155 | + } | |
156 | + memcpy(ctx->last_rand_data, ctx->rand_data, DEFAULT_BLK_SZ); | |
157 | + | |
158 | + /* | |
159 | + * Lastly xor the random data with I | |
160 | + * and encrypt that to obtain a new secret vector V | |
161 | + */ | |
162 | + xor_vectors(ctx->rand_data, ctx->I, tmp, DEFAULT_BLK_SZ); | |
163 | + sg_init_one(&sg_out, &ctx->V[0], DEFAULT_BLK_SZ); | |
164 | + hexdump("tmp stage 2: ", tmp, DEFAULT_BLK_SZ); | |
165 | + break; | |
166 | + } | |
167 | + | |
168 | + /* Initialize our input buffer */ | |
169 | + sg_init_one(&sg_in, &tmp[0], DEFAULT_BLK_SZ); | |
170 | + | |
171 | + /* do the encryption */ | |
172 | + ret = crypto_blkcipher_encrypt(&desc, &sg_out, &sg_in, DEFAULT_BLK_SZ); | |
173 | + | |
174 | + /* And check the result */ | |
175 | + if (ret) { | |
176 | + dbgprint(KERN_CRIT "Encryption of new block failed for context %p\n",ctx); | |
177 | + ctx->rand_data_valid = DEFAULT_BLK_SZ; | |
178 | + return -1; | |
179 | + } | |
180 | + | |
181 | + } | |
182 | + | |
183 | + /* | |
184 | + * Now update our DT value | |
185 | + */ | |
186 | + for (i=DEFAULT_BLK_SZ-1;i>0;i--) { | |
187 | + ctx->DT[i] = ctx->DT[i-1]; | |
188 | + } | |
189 | + ctx->DT[0] += 1; | |
190 | + | |
191 | + dbgprint("Returning new block for context %p\n",ctx); | |
192 | + ctx->rand_data_valid = 0; | |
193 | + | |
194 | + hexdump("Output DT: ", ctx->DT, DEFAULT_BLK_SZ); | |
195 | + hexdump("Output I: ", ctx->I, DEFAULT_BLK_SZ); | |
196 | + hexdump("Output V: ", ctx->V, DEFAULT_BLK_SZ); | |
197 | + hexdump("New Random Data: ", ctx->rand_data, DEFAULT_BLK_SZ); | |
198 | + | |
199 | + return 0; | |
200 | +} | |
201 | + | |
202 | +/* Our exported functions */ | |
203 | +int get_prng_bytes(char *buf, int nbytes, struct prng_context *ctx) | |
204 | +{ | |
205 | + unsigned long flags; | |
206 | + unsigned char *ptr = buf; | |
207 | + unsigned int byte_count = (unsigned int)nbytes; | |
208 | + int err; | |
209 | + | |
210 | + | |
211 | + if (nbytes < 0) | |
212 | + return -EINVAL; | |
213 | + | |
214 | + spin_lock_irqsave(&ctx->prng_lock, flags); | |
215 | + | |
216 | + err = -EFAULT; | |
217 | + if (ctx->flags & PRNG_NEED_RESET) | |
218 | + goto done; | |
219 | + | |
220 | + /* | |
221 | + * If the FIXED_SIZE flag is on, only return whole blocks of | |
222 | + * pseudo random data | |
223 | + */ | |
224 | + err = -EINVAL; | |
225 | + if (ctx->flags & PRNG_FIXED_SIZE) { | |
226 | + if (nbytes < DEFAULT_BLK_SZ) | |
227 | + goto done; | |
228 | + byte_count = DEFAULT_BLK_SZ; | |
229 | + } | |
230 | + | |
231 | + err = byte_count; | |
232 | + | |
233 | + dbgprint(KERN_CRIT "getting %d random bytes for context %p\n",byte_count, ctx); | |
234 | + | |
235 | + | |
236 | +remainder: | |
237 | + if (ctx->rand_data_valid == DEFAULT_BLK_SZ) { | |
238 | + if (_get_more_prng_bytes(ctx) < 0) { | |
239 | + memset(buf, 0, nbytes); | |
240 | + err = -EFAULT; | |
241 | + goto done; | |
242 | + } | |
243 | + } | |
244 | + | |
245 | + /* | |
246 | + * Copy up to the next whole block size | |
247 | + */ | |
248 | + if (byte_count < DEFAULT_BLK_SZ) { | |
249 | + for (;ctx->rand_data_valid < DEFAULT_BLK_SZ; ctx->rand_data_valid++) { | |
250 | + *ptr = ctx->rand_data[ctx->rand_data_valid]; | |
251 | + ptr++; | |
252 | + byte_count--; | |
253 | + if (byte_count == 0) | |
254 | + goto done; | |
255 | + } | |
256 | + } | |
257 | + | |
258 | + /* | |
259 | + * Now copy whole blocks | |
260 | + */ | |
261 | + for(;byte_count >= DEFAULT_BLK_SZ; byte_count -= DEFAULT_BLK_SZ) { | |
262 | + if (_get_more_prng_bytes(ctx) < 0) { | |
263 | + memset(buf, 0, nbytes); | |
264 | + err = -1; | |
265 | + goto done; | |
266 | + } | |
267 | + memcpy(ptr, ctx->rand_data, DEFAULT_BLK_SZ); | |
268 | + ctx->rand_data_valid += DEFAULT_BLK_SZ; | |
269 | + ptr += DEFAULT_BLK_SZ; | |
270 | + } | |
271 | + | |
272 | + /* | |
273 | + * Now copy any extra partial data | |
274 | + */ | |
275 | + if (byte_count) | |
276 | + goto remainder; | |
277 | + | |
278 | +done: | |
279 | + spin_unlock_irqrestore(&ctx->prng_lock, flags); | |
280 | + dbgprint(KERN_CRIT "returning %d from get_prng_bytes in context %p\n",err, ctx); | |
281 | + return err; | |
282 | +} | |
283 | +EXPORT_SYMBOL_GPL(get_prng_bytes); | |
284 | + | |
285 | +struct prng_context *alloc_prng_context(void) | |
286 | +{ | |
287 | + struct prng_context *ctx=kzalloc(sizeof(struct prng_context), GFP_KERNEL); | |
288 | + | |
289 | + spin_lock_init(&ctx->prng_lock); | |
290 | + | |
291 | + if (reset_prng_context(ctx, NULL, NULL, NULL, NULL)) { | |
292 | + kfree(ctx); | |
293 | + ctx = NULL; | |
294 | + } | |
295 | + | |
296 | + dbgprint(KERN_CRIT "returning context %p\n",ctx); | |
297 | + return ctx; | |
298 | +} | |
299 | + | |
300 | +EXPORT_SYMBOL_GPL(alloc_prng_context); | |
301 | + | |
302 | +void free_prng_context(struct prng_context *ctx) | |
303 | +{ | |
304 | + crypto_free_blkcipher(ctx->tfm); | |
305 | + kfree(ctx); | |
306 | +} | |
307 | +EXPORT_SYMBOL_GPL(free_prng_context); | |
308 | + | |
309 | +int reset_prng_context(struct prng_context *ctx, | |
310 | + unsigned char *key, unsigned char *iv, | |
311 | + unsigned char *V, unsigned char *DT) | |
312 | +{ | |
313 | + int ret; | |
314 | + int iv_len; | |
315 | + int rc = -EFAULT; | |
316 | + | |
317 | + spin_lock(&ctx->prng_lock); | |
318 | + ctx->flags |= PRNG_NEED_RESET; | |
319 | + | |
320 | + if (key) | |
321 | + memcpy(ctx->prng_key,key,strlen(ctx->prng_key)); | |
322 | + else | |
323 | + ctx->prng_key = DEFAULT_PRNG_KEY; | |
324 | + | |
325 | + if (iv) | |
326 | + memcpy(ctx->prng_iv,iv, strlen(ctx->prng_iv)); | |
327 | + else | |
328 | + ctx->prng_iv = DEFAULT_PRNG_IV; | |
329 | + | |
330 | + if (V) | |
331 | + memcpy(ctx->V,V,DEFAULT_BLK_SZ); | |
332 | + else | |
333 | + memcpy(ctx->V,DEFAULT_V_SEED,DEFAULT_BLK_SZ); | |
334 | + | |
335 | + if (DT) | |
336 | + memcpy(ctx->DT, DT, DEFAULT_BLK_SZ); | |
337 | + else | |
338 | + memset(ctx->DT, 0, DEFAULT_BLK_SZ); | |
339 | + | |
340 | + memset(ctx->rand_data,0,DEFAULT_BLK_SZ); | |
341 | + memset(ctx->last_rand_data,0,DEFAULT_BLK_SZ); | |
342 | + | |
343 | + if (ctx->tfm) | |
344 | + crypto_free_blkcipher(ctx->tfm); | |
345 | + | |
346 | + ctx->tfm = crypto_alloc_blkcipher("rfc3686(ctr(aes))",0,0); | |
347 | + if (!ctx->tfm) { | |
348 | + dbgprint(KERN_CRIT "Failed to alloc crypto tfm for context %p\n",ctx->tfm); | |
349 | + goto out; | |
350 | + } | |
351 | + | |
352 | + ctx->rand_data_valid = DEFAULT_BLK_SZ; | |
353 | + | |
354 | + ret = crypto_blkcipher_setkey(ctx->tfm, ctx->prng_key, strlen(ctx->prng_key)); | |
355 | + if (ret) { | |
356 | + dbgprint(KERN_CRIT "PRNG: setkey() failed flags=%x\n", | |
357 | + crypto_blkcipher_get_flags(ctx->tfm)); | |
358 | + crypto_free_blkcipher(ctx->tfm); | |
359 | + goto out; | |
360 | + } | |
361 | + | |
362 | + iv_len = crypto_blkcipher_ivsize(ctx->tfm); | |
363 | + if (iv_len) { | |
364 | + crypto_blkcipher_set_iv(ctx->tfm, ctx->prng_iv, iv_len); | |
365 | + } | |
366 | + rc = 0; | |
367 | + ctx->flags &= ~PRNG_NEED_RESET; | |
368 | +out: | |
369 | + spin_unlock(&ctx->prng_lock); | |
370 | + | |
371 | + return rc; | |
372 | + | |
373 | +} | |
374 | +EXPORT_SYMBOL_GPL(reset_prng_context); | |
375 | + | |
376 | +/* Module initalization */ | |
377 | +static int __init prng_mod_init(void) | |
378 | +{ | |
379 | + | |
380 | +#ifdef TEST_PRNG_ON_START | |
381 | + int i; | |
382 | + unsigned char tmpbuf[DEFAULT_BLK_SZ]; | |
383 | + | |
384 | + struct prng_context *ctx = alloc_prng_context(); | |
385 | + if (ctx == NULL) | |
386 | + return -EFAULT; | |
387 | + for (i=0;i<16;i++) { | |
388 | + if (get_prng_bytes(tmpbuf, DEFAULT_BLK_SZ, ctx) < 0) { | |
389 | + free_prng_context(ctx); | |
390 | + return -EFAULT; | |
391 | + } | |
392 | + } | |
393 | + free_prng_context(ctx); | |
394 | +#endif | |
395 | + | |
396 | + return 0; | |
397 | +} | |
398 | + | |
399 | +static void __exit prng_mod_fini(void) | |
400 | +{ | |
401 | + return; | |
402 | +} | |
403 | + | |
404 | +MODULE_LICENSE("GPL"); | |
405 | +MODULE_DESCRIPTION("Software Pseudo Random Number Generator"); | |
406 | +MODULE_AUTHOR("Neil Horman <nhorman@tuxdriver.com>"); | |
407 | +module_param(dbg, int, 0); | |
408 | +MODULE_PARM_DESC(dbg, "Boolean to enable debugging (0/1 == off/on)"); | |
409 | +module_init(prng_mod_init); | |
410 | +module_exit(prng_mod_fini); |
crypto/prng.h
1 | +/* | |
2 | + * PRNG: Pseudo Random Number Generator | |
3 | + * | |
4 | + * (C) Neil Horman <nhorman@tuxdriver.com> | |
5 | + * | |
6 | + * This program is free software; you can redistribute it and/or modify it | |
7 | + * under the terms of the GNU General Public License as published by the | |
8 | + * Free Software Foundation; either version 2 of the License, or (at your | |
9 | + * any later version. | |
10 | + * | |
11 | + * | |
12 | + */ | |
13 | + | |
14 | +#ifndef _PRNG_H_ | |
15 | +#define _PRNG_H_ | |
16 | +struct prng_context; | |
17 | + | |
18 | +int get_prng_bytes(char *buf, int nbytes, struct prng_context *ctx); | |
19 | +struct prng_context *alloc_prng_context(void); | |
20 | +int reset_prng_context(struct prng_context *ctx, | |
21 | + unsigned char *key, unsigned char *iv, | |
22 | + unsigned char *V, | |
23 | + unsigned char *DT); | |
24 | +void free_prng_context(struct prng_context *ctx); | |
25 | + | |
26 | +#endif |