Lines Matching +full:fips +full:- +full:140 +full:- +full:2
3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following
5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores
6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
18 * 2. Redistributions in binary form must reproduce the above copyright
29 * the restrictions contained in a BSD-style copyright.)
46 * The SP 800-90A DRBG allows the user to specify a personalization string
52 * ---------------------------------
63 * -------------------------------------------------------
68 * char personalization[11] = "some-string";
72 * // The reset completely re-initializes the DRBG with the provided
80 * ---------------------------------------------------------------------
84 * char addtl_string[11] = "some-string";
96 * -------------------------------------------------------------
201 * Return strength of DRBG according to SP800-90A section 8.4
223 * FIPS 140-2 continuous self test for the noise source
231 * drbg->drbg_mutex must have been taken.
238 * -EAGAIN on when the CTRNG is not yet primed
244 unsigned short entropylen = drbg_sec_strength(drbg->core->flags); in drbg_fips_continuous_test()
251 if (list_empty(&drbg->test_data.list)) in drbg_fips_continuous_test()
253 /* only perform test in FIPS mode */ in drbg_fips_continuous_test()
257 if (!drbg->fips_primed) { in drbg_fips_continuous_test()
258 /* Priming of FIPS test */ in drbg_fips_continuous_test()
259 memcpy(drbg->prev, entropy, entropylen); in drbg_fips_continuous_test()
260 drbg->fips_primed = true; in drbg_fips_continuous_test()
262 return -EAGAIN; in drbg_fips_continuous_test()
264 ret = memcmp(drbg->prev, entropy, entropylen); in drbg_fips_continuous_test()
267 memcpy(drbg->prev, entropy, entropylen); in drbg_fips_continuous_test()
275 * The byte representation is big-endian
278 * @buf buffer holding the converted integer -- caller must ensure that
289 conversion->conv = cpu_to_be32(val); in drbg_cpu_to_be32()
329 /* 10.4.3 step 2 / 4 */ in drbg_ctr_bcc()
332 const unsigned char *pos = curr->buf; in drbg_ctr_bcc()
333 size_t len = curr->len; in drbg_ctr_bcc()
346 len--; in drbg_ctr_bcc()
362 * start: drbg->scratchpad
365 * blocklen-wise. Now, when the statelen is not a multiple
370 * start: drbg->scratchpad +
395 /* Derivation Function for CTR DRBG as defined in 10.4.2 */
400 int ret = -EFAULT; in drbg_ctr_df()
410 /* 10.4.2 step 7 */ in drbg_ctr_df()
412 /* 10.4.2 step 8 */ in drbg_ctr_df()
426 /* 10.4.2 step 1 is implicit as we work byte-wise */ in drbg_ctr_df()
428 /* 10.4.2 step 2 */ in drbg_ctr_df()
430 return -EINVAL; in drbg_ctr_df()
432 /* 10.4.2 step 2 -- calculate the entire length of all input data */ in drbg_ctr_df()
434 inputlen += seed->len; in drbg_ctr_df()
437 /* 10.4.2 step 3 */ in drbg_ctr_df()
440 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ in drbg_ctr_df()
444 padlen = drbg_blocklen(drbg) - padlen; in drbg_ctr_df()
453 /* 10.4.2 step 4 -- first fill the linked list and then order it */ in drbg_ctr_df()
462 /* 10.4.2 step 9 */ in drbg_ctr_df()
465 * 10.4.2 step 9.1 - the padding is implicit as the buffer in drbg_ctr_df()
466 * holds zeros after allocation -- even the increment of i in drbg_ctr_df()
470 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ in drbg_ctr_df()
474 /* 10.4.2 step 9.3 */ in drbg_ctr_df()
479 /* 10.4.2 step 11 */ in drbg_ctr_df()
483 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ in drbg_ctr_df()
485 /* 10.4.2 step 13 */ in drbg_ctr_df()
490 * 10.4.2 step 13.1: the truncation of the key length is in drbg_ctr_df()
498 (bytes_to_return - generated_len)) ? in drbg_ctr_df()
500 (bytes_to_return - generated_len); in drbg_ctr_df()
501 /* 10.4.2 step 13.2 and 14 */ in drbg_ctr_df()
522 * 2 => first invocation from drbg_ctr_update when addtl is present. In
533 int ret = -EFAULT; in drbg_ctr_update()
535 unsigned char *temp = drbg->scratchpad; in drbg_ctr_update()
536 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + in drbg_ctr_update()
546 * but SP800-90A requires that the counter is incremented before in drbg_ctr_update()
550 crypto_inc(drbg->V, drbg_blocklen(drbg)); in drbg_ctr_update()
552 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C, in drbg_ctr_update()
558 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ in drbg_ctr_update()
571 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp, in drbg_ctr_update()
576 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); in drbg_ctr_update()
578 crypto_inc(drbg->V, drbg_blocklen(drbg)); in drbg_ctr_update()
583 if (2 != reseed) in drbg_ctr_update()
592 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
600 /* 10.2.1.5.2 step 2 */ in drbg_ctr_generate()
602 ret = drbg_ctr_update(drbg, addtl, 2); in drbg_ctr_generate()
607 /* 10.2.1.5.2 step 4.1 */ in drbg_ctr_generate()
612 /* 10.2.1.5.2 step 6 */ in drbg_ctr_generate()
656 int ret = -EFAULT; in drbg_hmac_update()
663 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ in drbg_hmac_update()
664 memset(drbg->V, 1, drbg_statelen(drbg)); in drbg_hmac_update()
665 drbg_kcapi_hmacsetkey(drbg, drbg->C); in drbg_hmac_update()
668 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); in drbg_hmac_update()
677 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); in drbg_hmac_update()
679 for (i = 2; 0 < i; i--) { in drbg_hmac_update()
684 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ in drbg_hmac_update()
686 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); in drbg_hmac_update()
689 drbg_kcapi_hmacsetkey(drbg, drbg->C); in drbg_hmac_update()
691 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ in drbg_hmac_update()
692 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); in drbg_hmac_update()
715 /* 10.1.2.5 step 2 */ in drbg_hmac_generate()
722 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); in drbg_hmac_generate()
727 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); in drbg_hmac_generate()
730 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? in drbg_hmac_generate()
731 drbg_blocklen(drbg) : (buflen - len); in drbg_hmac_generate()
734 memcpy(buf + len, drbg->V, outlen); in drbg_hmac_generate()
787 dstptr = dst + (dstlen-1); in drbg_add_buf()
788 addptr = add + (addlen-1); in drbg_add_buf()
793 len--; dstptr--; addptr--; in drbg_add_buf()
795 len = dstlen - addlen; in drbg_add_buf()
800 len--; dstptr--; in drbg_add_buf()
808 * start: drbg->scratchpad
811 * start: drbg->scratchpad + drbg_statelen(drbg)
827 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); in drbg_hash_df()
834 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ in drbg_hash_df()
847 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? in drbg_hash_df()
848 drbg_blocklen(drbg) : (outlen - len); in drbg_hash_df()
866 unsigned char *V = drbg->scratchpad; in drbg_hash_update()
870 return -EINVAL; in drbg_hash_update()
874 memcpy(V, drbg->V, drbg_statelen(drbg)); in drbg_hash_update()
882 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ in drbg_hash_update()
883 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); in drbg_hash_update()
891 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); in drbg_hash_update()
894 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); in drbg_hash_update()
897 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); in drbg_hash_update()
910 /* 10.1.1.4 step 2 */ in drbg_hash_process_addtl()
914 /* 10.1.1.4 step 2a */ in drbg_hash_process_addtl()
916 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); in drbg_hash_process_addtl()
920 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); in drbg_hash_process_addtl()
924 /* 10.1.1.4 step 2b */ in drbg_hash_process_addtl()
925 drbg_add_buf(drbg->V, drbg_statelen(drbg), in drbg_hash_process_addtl()
926 drbg->scratchpad, drbg_blocklen(drbg)); in drbg_hash_process_addtl()
929 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); in drbg_hash_process_addtl()
940 unsigned char *src = drbg->scratchpad; in drbg_hash_hashgen()
941 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); in drbg_hash_hashgen()
945 /* 10.1.1.4 step hashgen 2 */ in drbg_hash_hashgen()
946 memcpy(src, drbg->V, drbg_statelen(drbg)); in drbg_hash_hashgen()
958 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? in drbg_hash_hashgen()
959 drbg_blocklen(drbg) : (buflen - len); in drbg_hash_hashgen()
969 memset(drbg->scratchpad, 0, in drbg_hash_hashgen()
989 /* 10.1.1.4 step 2 */ in drbg_hash_generate()
1000 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); in drbg_hash_generate()
1002 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); in drbg_hash_generate()
1009 drbg_add_buf(drbg->V, drbg_statelen(drbg), in drbg_hash_generate()
1010 drbg->scratchpad, drbg_blocklen(drbg)); in drbg_hash_generate()
1011 drbg_add_buf(drbg->V, drbg_statelen(drbg), in drbg_hash_generate()
1012 drbg->C, drbg_statelen(drbg)); in drbg_hash_generate()
1013 u.req_int = cpu_to_be64(drbg->reseed_ctr); in drbg_hash_generate()
1014 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); in drbg_hash_generate()
1017 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); in drbg_hash_generate()
1040 int ret = drbg->d_ops->update(drbg, seed, reseed); in __drbg_seed()
1045 drbg->seeded = true; in __drbg_seed()
1047 drbg->reseed_ctr = 1; in __drbg_seed()
1061 if (ret && ret != -EAGAIN) in drbg_get_random_bytes()
1074 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); in drbg_async_seed()
1084 mutex_lock(&drbg->drbg_mutex); in drbg_async_seed()
1093 drbg->seeded = false; in drbg_async_seed()
1097 if (drbg->seeded) in drbg_async_seed()
1098 drbg->reseed_threshold = drbg_max_requests(drbg); in drbg_async_seed()
1101 mutex_unlock(&drbg->drbg_mutex); in drbg_async_seed()
1121 unsigned char entropy[((32 + 16) * 2)]; in drbg_seed()
1122 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); in drbg_seed()
1127 if (pers && pers->len > (drbg_max_addtl(drbg))) { in drbg_seed()
1129 pers->len); in drbg_seed()
1130 return -EINVAL; in drbg_seed()
1133 if (list_empty(&drbg->test_data.list)) { in drbg_seed()
1134 drbg_string_fill(&data1, drbg->test_data.buf, in drbg_seed()
1135 drbg->test_data.len); in drbg_seed()
1141 * to the entropy. A nonce must be at least 1/2 of the security in drbg_seed()
1142 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 in drbg_seed()
1148 entropylen = ((entropylen + 1) / 2) * 3; in drbg_seed()
1149 BUG_ON((entropylen * 2) > sizeof(entropy)); in drbg_seed()
1151 /* Get seed from in-kernel /dev/urandom */ in drbg_seed()
1156 if (!drbg->jent) { in drbg_seed()
1162 ret = crypto_rng_get_bytes(drbg->jent, in drbg_seed()
1175 * SP800-90A allowing us to treat the in drbg_seed()
1182 if (!reseed || ret != -EAGAIN) in drbg_seed()
1186 drbg_string_fill(&data1, entropy, entropylen * 2); in drbg_seed()
1188 entropylen * 2); in drbg_seed()
1198 if (pers && pers->buf && 0 < pers->len) { in drbg_seed()
1199 list_add_tail(&pers->list, &seedlist); in drbg_seed()
1204 memset(drbg->V, 0, drbg_statelen(drbg)); in drbg_seed()
1205 memset(drbg->C, 0, drbg_statelen(drbg)); in drbg_seed()
1211 memzero_explicit(entropy, entropylen * 2); in drbg_seed()
1221 kfree_sensitive(drbg->Vbuf); in drbg_dealloc_state()
1222 drbg->Vbuf = NULL; in drbg_dealloc_state()
1223 drbg->V = NULL; in drbg_dealloc_state()
1224 kfree_sensitive(drbg->Cbuf); in drbg_dealloc_state()
1225 drbg->Cbuf = NULL; in drbg_dealloc_state()
1226 drbg->C = NULL; in drbg_dealloc_state()
1227 kfree_sensitive(drbg->scratchpadbuf); in drbg_dealloc_state()
1228 drbg->scratchpadbuf = NULL; in drbg_dealloc_state()
1229 drbg->reseed_ctr = 0; in drbg_dealloc_state()
1230 drbg->d_ops = NULL; in drbg_dealloc_state()
1231 drbg->core = NULL; in drbg_dealloc_state()
1233 kfree_sensitive(drbg->prev); in drbg_dealloc_state()
1234 drbg->prev = NULL; in drbg_dealloc_state()
1235 drbg->fips_primed = false; in drbg_dealloc_state()
1240 * Allocate all sub-structures for a DRBG state.
1245 int ret = -ENOMEM; in drbg_alloc_state()
1248 switch (drbg->core->flags & DRBG_TYPE_MASK) { in drbg_alloc_state()
1251 drbg->d_ops = &drbg_hmac_ops; in drbg_alloc_state()
1256 drbg->d_ops = &drbg_hash_ops; in drbg_alloc_state()
1261 drbg->d_ops = &drbg_ctr_ops; in drbg_alloc_state()
1265 ret = -EOPNOTSUPP; in drbg_alloc_state()
1269 ret = drbg->d_ops->crypto_init(drbg); in drbg_alloc_state()
1273 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); in drbg_alloc_state()
1274 if (!drbg->Vbuf) { in drbg_alloc_state()
1275 ret = -ENOMEM; in drbg_alloc_state()
1278 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1); in drbg_alloc_state()
1279 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); in drbg_alloc_state()
1280 if (!drbg->Cbuf) { in drbg_alloc_state()
1281 ret = -ENOMEM; in drbg_alloc_state()
1284 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1); in drbg_alloc_state()
1286 if (drbg->core->flags & DRBG_HMAC) in drbg_alloc_state()
1288 else if (drbg->core->flags & DRBG_CTR) in drbg_alloc_state()
1298 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL); in drbg_alloc_state()
1299 if (!drbg->scratchpadbuf) { in drbg_alloc_state()
1300 ret = -ENOMEM; in drbg_alloc_state()
1303 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); in drbg_alloc_state()
1307 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags), in drbg_alloc_state()
1309 if (!drbg->prev) { in drbg_alloc_state()
1310 ret = -ENOMEM; in drbg_alloc_state()
1313 drbg->fips_primed = false; in drbg_alloc_state()
1319 drbg->d_ops->crypto_fini(drbg); in drbg_alloc_state()
1330 * DRBG generate function as required by SP800-90A - this function
1334 * @buf Buffer where to store the random numbers -- the buffer must already
1335 * be pre-allocated by caller
1336 * @buflen Length of output buffer - this value defines the number of random
1338 * @addtl Additional input that is mixed into state, may be NULL -- note
1340 * as defined in SP800-90A. The additional input is mixed into
1352 if (!drbg->core) { in drbg_generate()
1354 return -EINVAL; in drbg_generate()
1358 return -EINVAL; in drbg_generate()
1360 if (addtl && NULL == addtl->buf && 0 < addtl->len) { in drbg_generate()
1362 return -EINVAL; in drbg_generate()
1365 /* 9.3.1 step 2 */ in drbg_generate()
1366 len = -EINVAL; in drbg_generate()
1376 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { in drbg_generate()
1378 addtl->len); in drbg_generate()
1384 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented in drbg_generate()
1387 if (drbg->reseed_threshold < drbg->reseed_ctr) in drbg_generate()
1388 drbg->seeded = false; in drbg_generate()
1390 if (drbg->pr || !drbg->seeded) { in drbg_generate()
1393 drbg->pr ? "true" : "false", in drbg_generate()
1394 drbg->seeded ? "seeded" : "unseeded"); in drbg_generate()
1403 if (addtl && 0 < addtl->len) in drbg_generate()
1404 list_add_tail(&addtl->list, &addtllist); in drbg_generate()
1406 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); in drbg_generate()
1408 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ in drbg_generate()
1409 drbg->reseed_ctr++; in drbg_generate()
1414 * Section 11.3.3 requires to re-perform self tests after some in drbg_generate()
1429 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { in drbg_generate()
1432 if (drbg->core->flags & DRBG_HMAC) in drbg_generate()
1435 else if (drbg->core->flags & DRBG_CTR) in drbg_generate()
1469 * Return codes: see drbg_generate -- if one drbg_generate request fails,
1481 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); in drbg_generate_long()
1482 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); in drbg_generate_long()
1483 mutex_lock(&drbg->drbg_mutex); in drbg_generate_long()
1485 mutex_unlock(&drbg->drbg_mutex); in drbg_generate_long()
1498 schedule_work(&drbg->seed_work); in drbg_schedule_async_seed()
1506 if (list_empty(&drbg->test_data.list)) in drbg_prepare_hrng()
1509 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); in drbg_prepare_hrng()
1511 INIT_WORK(&drbg->seed_work, drbg_async_seed); in drbg_prepare_hrng()
1513 drbg->random_ready.owner = THIS_MODULE; in drbg_prepare_hrng()
1514 drbg->random_ready.func = drbg_schedule_async_seed; in drbg_prepare_hrng()
1516 err = add_random_ready_callback(&drbg->random_ready); in drbg_prepare_hrng()
1522 case -EALREADY: in drbg_prepare_hrng()
1527 drbg->random_ready.func = NULL; in drbg_prepare_hrng()
1535 drbg->reseed_threshold = 50; in drbg_prepare_hrng()
1541 * DRBG instantiation function as required by SP800-90A - this function
1543 * checks required by SP800-90A
1545 * @drbg memory of state -- if NULL, new memory is allocated
1546 * @pers Personalization string that is mixed into state, may be NULL -- note
1548 * as defined in SP800-90A. The additional input is mixed into
1565 mutex_lock(&drbg->drbg_mutex); in drbg_instantiate()
1570 * 9.1 step 2 is implicit as caller can select prediction resistance in drbg_instantiate()
1571 * and the flag is copied into drbg->flags -- in drbg_instantiate()
1577 if (!drbg->core) { in drbg_instantiate()
1578 drbg->core = &drbg_cores[coreref]; in drbg_instantiate()
1579 drbg->pr = pr; in drbg_instantiate()
1580 drbg->seeded = false; in drbg_instantiate()
1581 drbg->reseed_threshold = drbg_max_requests(drbg); in drbg_instantiate()
1591 if (IS_ERR(drbg->jent)) { in drbg_instantiate()
1592 ret = PTR_ERR(drbg->jent); in drbg_instantiate()
1593 drbg->jent = NULL; in drbg_instantiate()
1594 if (fips_enabled || ret != -ENOENT) in drbg_instantiate()
1607 mutex_unlock(&drbg->drbg_mutex); in drbg_instantiate()
1611 mutex_unlock(&drbg->drbg_mutex); in drbg_instantiate()
1615 mutex_unlock(&drbg->drbg_mutex); in drbg_instantiate()
1621 * DRBG uninstantiate function as required by SP800-90A - this function
1631 if (drbg->random_ready.func) { in drbg_uninstantiate()
1632 del_random_ready_callback(&drbg->random_ready); in drbg_uninstantiate()
1633 cancel_work_sync(&drbg->seed_work); in drbg_uninstantiate()
1636 if (!IS_ERR_OR_NULL(drbg->jent)) in drbg_uninstantiate()
1637 crypto_free_rng(drbg->jent); in drbg_uninstantiate()
1638 drbg->jent = NULL; in drbg_uninstantiate()
1640 if (drbg->d_ops) in drbg_uninstantiate()
1641 drbg->d_ops->crypto_fini(drbg); in drbg_uninstantiate()
1643 /* no scrubbing of test_data -- this shall survive an uninstantiate */ in drbg_uninstantiate()
1659 mutex_lock(&drbg->drbg_mutex); in drbg_kcapi_set_entropy()
1660 drbg_string_fill(&drbg->test_data, data, len); in drbg_kcapi_set_entropy()
1661 mutex_unlock(&drbg->drbg_mutex); in drbg_kcapi_set_entropy()
1679 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); in drbg_init_hash_kernel()
1682 drbg->core->backend_cra_name); in drbg_init_hash_kernel()
1690 return -ENOMEM; in drbg_init_hash_kernel()
1693 sdesc->shash.tfm = tfm; in drbg_init_hash_kernel()
1694 drbg->priv_data = sdesc; in drbg_init_hash_kernel()
1701 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; in drbg_fini_hash_kernel()
1703 crypto_free_shash(sdesc->shash.tfm); in drbg_fini_hash_kernel()
1706 drbg->priv_data = NULL; in drbg_fini_hash_kernel()
1713 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; in drbg_kcapi_hmacsetkey()
1715 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); in drbg_kcapi_hmacsetkey()
1721 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; in drbg_kcapi_hash()
1724 crypto_shash_init(&sdesc->shash); in drbg_kcapi_hash()
1726 crypto_shash_update(&sdesc->shash, input->buf, input->len); in drbg_kcapi_hash()
1727 return crypto_shash_final(&sdesc->shash, outval); in drbg_kcapi_hash()
1735 (struct crypto_cipher *)drbg->priv_data; in drbg_fini_sym_kernel()
1738 drbg->priv_data = NULL; in drbg_fini_sym_kernel()
1740 if (drbg->ctr_handle) in drbg_fini_sym_kernel()
1741 crypto_free_skcipher(drbg->ctr_handle); in drbg_fini_sym_kernel()
1742 drbg->ctr_handle = NULL; in drbg_fini_sym_kernel()
1744 if (drbg->ctr_req) in drbg_fini_sym_kernel()
1745 skcipher_request_free(drbg->ctr_req); in drbg_fini_sym_kernel()
1746 drbg->ctr_req = NULL; in drbg_fini_sym_kernel()
1748 kfree(drbg->outscratchpadbuf); in drbg_fini_sym_kernel()
1749 drbg->outscratchpadbuf = NULL; in drbg_fini_sym_kernel()
1762 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); in drbg_init_sym_kernel()
1765 drbg->core->backend_cra_name); in drbg_init_sym_kernel()
1769 drbg->priv_data = tfm; in drbg_init_sym_kernel()
1772 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) { in drbg_init_sym_kernel()
1774 return -EINVAL; in drbg_init_sym_kernel()
1783 drbg->ctr_handle = sk_tfm; in drbg_init_sym_kernel()
1784 crypto_init_wait(&drbg->ctr_wait); in drbg_init_sym_kernel()
1790 return -ENOMEM; in drbg_init_sym_kernel()
1792 drbg->ctr_req = req; in drbg_init_sym_kernel()
1795 crypto_req_done, &drbg->ctr_wait); in drbg_init_sym_kernel()
1798 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask, in drbg_init_sym_kernel()
1800 if (!drbg->outscratchpadbuf) { in drbg_init_sym_kernel()
1802 return -ENOMEM; in drbg_init_sym_kernel()
1804 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf, in drbg_init_sym_kernel()
1807 sg_init_table(&drbg->sg_in, 1); in drbg_init_sym_kernel()
1808 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); in drbg_init_sym_kernel()
1817 (struct crypto_cipher *)drbg->priv_data; in drbg_kcapi_symsetkey()
1826 (struct crypto_cipher *)drbg->priv_data; in drbg_kcapi_sym()
1829 BUG_ON(in->len < drbg_blocklen(drbg)); in drbg_kcapi_sym()
1830 crypto_cipher_encrypt_one(tfm, outval, in->buf); in drbg_kcapi_sym()
1838 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out; in drbg_kcapi_sym_ctr()
1843 /* Use caller-provided input buffer */ in drbg_kcapi_sym_ctr()
1846 /* Use scratchpad for in-place operation */ in drbg_kcapi_sym_ctr()
1848 memset(drbg->outscratchpad, 0, scratchpad_use); in drbg_kcapi_sym_ctr()
1849 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use); in drbg_kcapi_sym_ctr()
1856 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out, in drbg_kcapi_sym_ctr()
1857 cryptlen, drbg->V); in drbg_kcapi_sym_ctr()
1858 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req), in drbg_kcapi_sym_ctr()
1859 &drbg->ctr_wait); in drbg_kcapi_sym_ctr()
1863 crypto_init_wait(&drbg->ctr_wait); in drbg_kcapi_sym_ctr()
1865 memcpy(outbuf, drbg->outscratchpad, cryptlen); in drbg_kcapi_sym_ctr()
1866 memzero_explicit(drbg->outscratchpad, cryptlen); in drbg_kcapi_sym_ctr()
1868 outlen -= cryptlen; in drbg_kcapi_sym_ctr()
1912 len = strlen(cra_driver_name) - start; in drbg_convert_tfm_core()
1926 mutex_init(&drbg->drbg_mutex); in drbg_kcapi_init()
1990 * Tests as defined in 11.3.2 in addition to the cipher tests: testing
1993 * Note: testing of failing seed source as defined in 11.3.2 is not applicable
1996 * Note 2: There is no sensible way of testing the reseed counter
2005 int ret = -EFAULT; in drbg_healthcheck_sanity()
2006 int rc = -EFAULT; in drbg_healthcheck_sanity()
2012 /* only perform test in FIPS mode */ in drbg_healthcheck_sanity()
2026 return -ENOMEM; in drbg_healthcheck_sanity()
2028 mutex_init(&drbg->drbg_mutex); in drbg_healthcheck_sanity()
2029 drbg->core = &drbg_cores[coreref]; in drbg_healthcheck_sanity()
2030 drbg->reseed_threshold = drbg_max_requests(drbg); in drbg_healthcheck_sanity()
2035 * string lengths -- in case the error handling does not succeed in drbg_healthcheck_sanity()
2076 memcpy(alg->base.cra_name, "stdrng", 6); in drbg_fill_array()
2078 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); in drbg_fill_array()
2081 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); in drbg_fill_array()
2084 memcpy(alg->base.cra_driver_name + pos, core->cra_name, in drbg_fill_array()
2085 strlen(core->cra_name)); in drbg_fill_array()
2087 alg->base.cra_priority = priority; in drbg_fill_array()
2090 * If FIPS mode enabled, the selected DRBG shall have the in drbg_fill_array()
2095 alg->base.cra_priority += 200; in drbg_fill_array()
2097 alg->base.cra_ctxsize = sizeof(struct drbg_state); in drbg_fill_array()
2098 alg->base.cra_module = THIS_MODULE; in drbg_fill_array()
2099 alg->base.cra_init = drbg_kcapi_init; in drbg_fill_array()
2100 alg->base.cra_exit = drbg_kcapi_cleanup; in drbg_fill_array()
2101 alg->generate = drbg_kcapi_random; in drbg_fill_array()
2102 alg->seed = drbg_kcapi_seed; in drbg_fill_array()
2103 alg->set_ent = drbg_kcapi_set_entropy; in drbg_fill_array()
2104 alg->seedsize = 0; in drbg_fill_array()
2117 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { in drbg_init()
2120 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); in drbg_init()
2121 return -EFAULT; in drbg_init()
2137 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); in drbg_init()
2142 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); in drbg_exit()
2158 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "