Lines Matching +full:fips +full:- +full:140 +full:- +full:2
3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following
5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores
6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
18 * 2. Redistributions in binary form must reproduce the above copyright
29 * the restrictions contained in a BSD-style copyright.)
46 * The SP 800-90A DRBG allows the user to specify a personalization string
52 * ---------------------------------
63 * -------------------------------------------------------
68 * char personalization[11] = "some-string";
72 * // The reset completely re-initializes the DRBG with the provided
80 * ---------------------------------------------------------------------
84 * char addtl_string[11] = "some-string";
96 * -------------------------------------------------------------
201 * Return strength of DRBG according to SP800-90A section 8.4
223 * FIPS 140-2 continuous self test for the noise source
231 * drbg->drbg_mutex must have been taken.
238 * -EAGAIN on when the CTRNG is not yet primed
244 unsigned short entropylen = drbg_sec_strength(drbg->core->flags); in drbg_fips_continuous_test()
251 if (list_empty(&drbg->test_data.list)) in drbg_fips_continuous_test()
253 /* only perform test in FIPS mode */ in drbg_fips_continuous_test()
257 if (!drbg->fips_primed) { in drbg_fips_continuous_test()
258 /* Priming of FIPS test */ in drbg_fips_continuous_test()
259 memcpy(drbg->prev, entropy, entropylen); in drbg_fips_continuous_test()
260 drbg->fips_primed = true; in drbg_fips_continuous_test()
262 return -EAGAIN; in drbg_fips_continuous_test()
264 ret = memcmp(drbg->prev, entropy, entropylen); in drbg_fips_continuous_test()
267 memcpy(drbg->prev, entropy, entropylen); in drbg_fips_continuous_test()
275 * The byte representation is big-endian
278 * @buf buffer holding the converted integer -- caller must ensure that
289 conversion->conv = cpu_to_be32(val); in drbg_cpu_to_be32()
329 /* 10.4.3 step 2 / 4 */ in drbg_ctr_bcc()
332 const unsigned char *pos = curr->buf; in drbg_ctr_bcc()
333 size_t len = curr->len; in drbg_ctr_bcc()
346 len--; in drbg_ctr_bcc()
362 * start: drbg->scratchpad
365 * blocklen-wise. Now, when the statelen is not a multiple
370 * start: drbg->scratchpad +
395 /* Derivation Function for CTR DRBG as defined in 10.4.2 */
400 int ret = -EFAULT; in drbg_ctr_df()
410 /* 10.4.2 step 7 */ in drbg_ctr_df()
412 /* 10.4.2 step 8 */ in drbg_ctr_df()
426 /* 10.4.2 step 1 is implicit as we work byte-wise */ in drbg_ctr_df()
428 /* 10.4.2 step 2 */ in drbg_ctr_df()
430 return -EINVAL; in drbg_ctr_df()
432 /* 10.4.2 step 2 -- calculate the entire length of all input data */ in drbg_ctr_df()
434 inputlen += seed->len; in drbg_ctr_df()
437 /* 10.4.2 step 3 */ in drbg_ctr_df()
440 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ in drbg_ctr_df()
444 padlen = drbg_blocklen(drbg) - padlen; in drbg_ctr_df()
453 /* 10.4.2 step 4 -- first fill the linked list and then order it */ in drbg_ctr_df()
462 /* 10.4.2 step 9 */ in drbg_ctr_df()
465 * 10.4.2 step 9.1 - the padding is implicit as the buffer in drbg_ctr_df()
466 * holds zeros after allocation -- even the increment of i in drbg_ctr_df()
470 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ in drbg_ctr_df()
474 /* 10.4.2 step 9.3 */ in drbg_ctr_df()
479 /* 10.4.2 step 11 */ in drbg_ctr_df()
483 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ in drbg_ctr_df()
485 /* 10.4.2 step 13 */ in drbg_ctr_df()
490 * 10.4.2 step 13.1: the truncation of the key length is in drbg_ctr_df()
498 (bytes_to_return - generated_len)) ? in drbg_ctr_df()
500 (bytes_to_return - generated_len); in drbg_ctr_df()
501 /* 10.4.2 step 13.2 and 14 */ in drbg_ctr_df()
522 * 2 => first invocation from drbg_ctr_update when addtl is present. In
533 int ret = -EFAULT; in drbg_ctr_update()
535 unsigned char *temp = drbg->scratchpad; in drbg_ctr_update()
536 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + in drbg_ctr_update()
546 * but SP800-90A requires that the counter is incremented before in drbg_ctr_update()
550 crypto_inc(drbg->V, drbg_blocklen(drbg)); in drbg_ctr_update()
552 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C, in drbg_ctr_update()
558 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ in drbg_ctr_update()
571 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp, in drbg_ctr_update()
576 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); in drbg_ctr_update()
578 crypto_inc(drbg->V, drbg_blocklen(drbg)); in drbg_ctr_update()
583 if (2 != reseed) in drbg_ctr_update()
592 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
600 /* 10.2.1.5.2 step 2 */ in drbg_ctr_generate()
602 ret = drbg_ctr_update(drbg, addtl, 2); in drbg_ctr_generate()
607 /* 10.2.1.5.2 step 4.1 */ in drbg_ctr_generate()
612 /* 10.2.1.5.2 step 6 */ in drbg_ctr_generate()
656 int ret = -EFAULT; in drbg_hmac_update()
663 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ in drbg_hmac_update()
664 memset(drbg->V, 1, drbg_statelen(drbg)); in drbg_hmac_update()
665 drbg_kcapi_hmacsetkey(drbg, drbg->C); in drbg_hmac_update()
668 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); in drbg_hmac_update()
677 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); in drbg_hmac_update()
679 for (i = 2; 0 < i; i--) { in drbg_hmac_update()
684 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ in drbg_hmac_update()
686 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); in drbg_hmac_update()
689 drbg_kcapi_hmacsetkey(drbg, drbg->C); in drbg_hmac_update()
691 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ in drbg_hmac_update()
692 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); in drbg_hmac_update()
715 /* 10.1.2.5 step 2 */ in drbg_hmac_generate()
722 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); in drbg_hmac_generate()
727 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); in drbg_hmac_generate()
730 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? in drbg_hmac_generate()
731 drbg_blocklen(drbg) : (buflen - len); in drbg_hmac_generate()
734 memcpy(buf + len, drbg->V, outlen); in drbg_hmac_generate()
787 dstptr = dst + (dstlen-1); in drbg_add_buf()
788 addptr = add + (addlen-1); in drbg_add_buf()
793 len--; dstptr--; addptr--; in drbg_add_buf()
795 len = dstlen - addlen; in drbg_add_buf()
800 len--; dstptr--; in drbg_add_buf()
808 * start: drbg->scratchpad
811 * start: drbg->scratchpad + drbg_statelen(drbg)
827 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); in drbg_hash_df()
834 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ in drbg_hash_df()
847 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? in drbg_hash_df()
848 drbg_blocklen(drbg) : (outlen - len); in drbg_hash_df()
866 unsigned char *V = drbg->scratchpad; in drbg_hash_update()
870 return -EINVAL; in drbg_hash_update()
874 memcpy(V, drbg->V, drbg_statelen(drbg)); in drbg_hash_update()
882 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ in drbg_hash_update()
883 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); in drbg_hash_update()
891 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); in drbg_hash_update()
894 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); in drbg_hash_update()
897 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); in drbg_hash_update()
910 /* 10.1.1.4 step 2 */ in drbg_hash_process_addtl()
914 /* 10.1.1.4 step 2a */ in drbg_hash_process_addtl()
916 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); in drbg_hash_process_addtl()
920 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); in drbg_hash_process_addtl()
924 /* 10.1.1.4 step 2b */ in drbg_hash_process_addtl()
925 drbg_add_buf(drbg->V, drbg_statelen(drbg), in drbg_hash_process_addtl()
926 drbg->scratchpad, drbg_blocklen(drbg)); in drbg_hash_process_addtl()
929 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); in drbg_hash_process_addtl()
940 unsigned char *src = drbg->scratchpad; in drbg_hash_hashgen()
941 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); in drbg_hash_hashgen()
945 /* 10.1.1.4 step hashgen 2 */ in drbg_hash_hashgen()
946 memcpy(src, drbg->V, drbg_statelen(drbg)); in drbg_hash_hashgen()
958 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? in drbg_hash_hashgen()
959 drbg_blocklen(drbg) : (buflen - len); in drbg_hash_hashgen()
969 memset(drbg->scratchpad, 0, in drbg_hash_hashgen()
989 /* 10.1.1.4 step 2 */ in drbg_hash_generate()
1000 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); in drbg_hash_generate()
1002 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); in drbg_hash_generate()
1009 drbg_add_buf(drbg->V, drbg_statelen(drbg), in drbg_hash_generate()
1010 drbg->scratchpad, drbg_blocklen(drbg)); in drbg_hash_generate()
1011 drbg_add_buf(drbg->V, drbg_statelen(drbg), in drbg_hash_generate()
1012 drbg->C, drbg_statelen(drbg)); in drbg_hash_generate()
1013 u.req_int = cpu_to_be64(drbg->reseed_ctr); in drbg_hash_generate()
1014 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); in drbg_hash_generate()
1017 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); in drbg_hash_generate()
1040 int ret = drbg->d_ops->update(drbg, seed, reseed); in __drbg_seed()
1045 drbg->seeded = new_seed_state; in __drbg_seed()
1047 drbg->reseed_ctr = 1; in __drbg_seed()
1049 switch (drbg->seeded) { in __drbg_seed()
1058 drbg->reseed_threshold = 50; in __drbg_seed()
1066 drbg->reseed_threshold = drbg_max_requests(drbg); in __drbg_seed()
1082 if (ret && ret != -EAGAIN) in drbg_get_random_bytes()
1093 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); in drbg_seed_from_random()
1129 unsigned char entropy[((32 + 16) * 2)]; in drbg_seed()
1130 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); in drbg_seed()
1136 if (pers && pers->len > (drbg_max_addtl(drbg))) { in drbg_seed()
1138 pers->len); in drbg_seed()
1139 return -EINVAL; in drbg_seed()
1142 if (list_empty(&drbg->test_data.list)) { in drbg_seed()
1143 drbg_string_fill(&data1, drbg->test_data.buf, in drbg_seed()
1144 drbg->test_data.len); in drbg_seed()
1150 * to the entropy. A nonce must be at least 1/2 of the security in drbg_seed()
1151 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 in drbg_seed()
1157 entropylen = ((entropylen + 1) / 2) * 3; in drbg_seed()
1158 BUG_ON((entropylen * 2) > sizeof(entropy)); in drbg_seed()
1160 /* Get seed from in-kernel /dev/urandom */ in drbg_seed()
1168 if (!drbg->jent) { in drbg_seed()
1174 ret = crypto_rng_get_bytes(drbg->jent, in drbg_seed()
1187 * SP800-90A allowing us to treat the in drbg_seed()
1194 if (!reseed || ret != -EAGAIN) in drbg_seed()
1198 drbg_string_fill(&data1, entropy, entropylen * 2); in drbg_seed()
1200 entropylen * 2); in drbg_seed()
1210 if (pers && pers->buf && 0 < pers->len) { in drbg_seed()
1211 list_add_tail(&pers->list, &seedlist); in drbg_seed()
1216 memset(drbg->V, 0, drbg_statelen(drbg)); in drbg_seed()
1217 memset(drbg->C, 0, drbg_statelen(drbg)); in drbg_seed()
1223 memzero_explicit(entropy, entropylen * 2); in drbg_seed()
1233 kfree_sensitive(drbg->Vbuf); in drbg_dealloc_state()
1234 drbg->Vbuf = NULL; in drbg_dealloc_state()
1235 drbg->V = NULL; in drbg_dealloc_state()
1236 kfree_sensitive(drbg->Cbuf); in drbg_dealloc_state()
1237 drbg->Cbuf = NULL; in drbg_dealloc_state()
1238 drbg->C = NULL; in drbg_dealloc_state()
1239 kfree_sensitive(drbg->scratchpadbuf); in drbg_dealloc_state()
1240 drbg->scratchpadbuf = NULL; in drbg_dealloc_state()
1241 drbg->reseed_ctr = 0; in drbg_dealloc_state()
1242 drbg->d_ops = NULL; in drbg_dealloc_state()
1243 drbg->core = NULL; in drbg_dealloc_state()
1245 kfree_sensitive(drbg->prev); in drbg_dealloc_state()
1246 drbg->prev = NULL; in drbg_dealloc_state()
1247 drbg->fips_primed = false; in drbg_dealloc_state()
1252 * Allocate all sub-structures for a DRBG state.
1257 int ret = -ENOMEM; in drbg_alloc_state()
1260 switch (drbg->core->flags & DRBG_TYPE_MASK) { in drbg_alloc_state()
1263 drbg->d_ops = &drbg_hmac_ops; in drbg_alloc_state()
1268 drbg->d_ops = &drbg_hash_ops; in drbg_alloc_state()
1273 drbg->d_ops = &drbg_ctr_ops; in drbg_alloc_state()
1277 ret = -EOPNOTSUPP; in drbg_alloc_state()
1281 ret = drbg->d_ops->crypto_init(drbg); in drbg_alloc_state()
1285 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); in drbg_alloc_state()
1286 if (!drbg->Vbuf) { in drbg_alloc_state()
1287 ret = -ENOMEM; in drbg_alloc_state()
1290 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1); in drbg_alloc_state()
1291 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); in drbg_alloc_state()
1292 if (!drbg->Cbuf) { in drbg_alloc_state()
1293 ret = -ENOMEM; in drbg_alloc_state()
1296 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1); in drbg_alloc_state()
1298 if (drbg->core->flags & DRBG_HMAC) in drbg_alloc_state()
1300 else if (drbg->core->flags & DRBG_CTR) in drbg_alloc_state()
1310 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL); in drbg_alloc_state()
1311 if (!drbg->scratchpadbuf) { in drbg_alloc_state()
1312 ret = -ENOMEM; in drbg_alloc_state()
1315 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); in drbg_alloc_state()
1319 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags), in drbg_alloc_state()
1321 if (!drbg->prev) { in drbg_alloc_state()
1322 ret = -ENOMEM; in drbg_alloc_state()
1325 drbg->fips_primed = false; in drbg_alloc_state()
1331 drbg->d_ops->crypto_fini(drbg); in drbg_alloc_state()
1342 * DRBG generate function as required by SP800-90A - this function
1346 * @buf Buffer where to store the random numbers -- the buffer must already
1347 * be pre-allocated by caller
1348 * @buflen Length of output buffer - this value defines the number of random
1350 * @addtl Additional input that is mixed into state, may be NULL -- note
1352 * as defined in SP800-90A. The additional input is mixed into
1364 if (!drbg->core) { in drbg_generate()
1366 return -EINVAL; in drbg_generate()
1370 return -EINVAL; in drbg_generate()
1372 if (addtl && NULL == addtl->buf && 0 < addtl->len) { in drbg_generate()
1374 return -EINVAL; in drbg_generate()
1377 /* 9.3.1 step 2 */ in drbg_generate()
1378 len = -EINVAL; in drbg_generate()
1388 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { in drbg_generate()
1390 addtl->len); in drbg_generate()
1396 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented in drbg_generate()
1399 if (drbg->reseed_threshold < drbg->reseed_ctr) in drbg_generate()
1400 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; in drbg_generate()
1402 if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) { in drbg_generate()
1405 drbg->pr ? "true" : "false", in drbg_generate()
1406 (drbg->seeded == DRBG_SEED_STATE_FULL ? in drbg_generate()
1415 drbg->seeded == DRBG_SEED_STATE_PARTIAL) { in drbg_generate()
1421 if (addtl && 0 < addtl->len) in drbg_generate()
1422 list_add_tail(&addtl->list, &addtllist); in drbg_generate()
1424 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); in drbg_generate()
1426 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ in drbg_generate()
1427 drbg->reseed_ctr++; in drbg_generate()
1432 * Section 11.3.3 requires to re-perform self tests after some in drbg_generate()
1447 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { in drbg_generate()
1450 if (drbg->core->flags & DRBG_HMAC) in drbg_generate()
1453 else if (drbg->core->flags & DRBG_CTR) in drbg_generate()
1487 * Return codes: see drbg_generate -- if one drbg_generate request fails,
1499 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); in drbg_generate_long()
1500 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); in drbg_generate_long()
1501 mutex_lock(&drbg->drbg_mutex); in drbg_generate_long()
1503 mutex_unlock(&drbg->drbg_mutex); in drbg_generate_long()
1514 if (list_empty(&drbg->test_data.list)) in drbg_prepare_hrng()
1517 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); in drbg_prepare_hrng()
1518 if (IS_ERR(drbg->jent)) { in drbg_prepare_hrng()
1519 const int err = PTR_ERR(drbg->jent); in drbg_prepare_hrng()
1521 drbg->jent = NULL; in drbg_prepare_hrng()
1531 * DRBG instantiation function as required by SP800-90A - this function
1533 * checks required by SP800-90A
1535 * @drbg memory of state -- if NULL, new memory is allocated
1536 * @pers Personalization string that is mixed into state, may be NULL -- note
1538 * as defined in SP800-90A. The additional input is mixed into
1555 mutex_lock(&drbg->drbg_mutex); in drbg_instantiate()
1560 * 9.1 step 2 is implicit as caller can select prediction resistance in drbg_instantiate()
1561 * and the flag is copied into drbg->flags -- in drbg_instantiate()
1567 if (!drbg->core) { in drbg_instantiate()
1568 drbg->core = &drbg_cores[coreref]; in drbg_instantiate()
1569 drbg->pr = pr; in drbg_instantiate()
1570 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; in drbg_instantiate()
1571 drbg->reseed_threshold = drbg_max_requests(drbg); in drbg_instantiate()
1589 mutex_unlock(&drbg->drbg_mutex); in drbg_instantiate()
1593 mutex_unlock(&drbg->drbg_mutex); in drbg_instantiate()
1597 mutex_unlock(&drbg->drbg_mutex); in drbg_instantiate()
1603 * DRBG uninstantiate function as required by SP800-90A - this function
1613 if (!IS_ERR_OR_NULL(drbg->jent)) in drbg_uninstantiate()
1614 crypto_free_rng(drbg->jent); in drbg_uninstantiate()
1615 drbg->jent = NULL; in drbg_uninstantiate()
1617 if (drbg->d_ops) in drbg_uninstantiate()
1618 drbg->d_ops->crypto_fini(drbg); in drbg_uninstantiate()
1620 /* no scrubbing of test_data -- this shall survive an uninstantiate */ in drbg_uninstantiate()
1636 mutex_lock(&drbg->drbg_mutex); in drbg_kcapi_set_entropy()
1637 drbg_string_fill(&drbg->test_data, data, len); in drbg_kcapi_set_entropy()
1638 mutex_unlock(&drbg->drbg_mutex); in drbg_kcapi_set_entropy()
1656 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); in drbg_init_hash_kernel()
1659 drbg->core->backend_cra_name); in drbg_init_hash_kernel()
1667 return -ENOMEM; in drbg_init_hash_kernel()
1670 sdesc->shash.tfm = tfm; in drbg_init_hash_kernel()
1671 drbg->priv_data = sdesc; in drbg_init_hash_kernel()
1678 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; in drbg_fini_hash_kernel()
1680 crypto_free_shash(sdesc->shash.tfm); in drbg_fini_hash_kernel()
1683 drbg->priv_data = NULL; in drbg_fini_hash_kernel()
1690 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; in drbg_kcapi_hmacsetkey()
1692 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); in drbg_kcapi_hmacsetkey()
1698 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; in drbg_kcapi_hash()
1701 crypto_shash_init(&sdesc->shash); in drbg_kcapi_hash()
1703 crypto_shash_update(&sdesc->shash, input->buf, input->len); in drbg_kcapi_hash()
1704 return crypto_shash_final(&sdesc->shash, outval); in drbg_kcapi_hash()
1712 (struct crypto_cipher *)drbg->priv_data; in drbg_fini_sym_kernel()
1715 drbg->priv_data = NULL; in drbg_fini_sym_kernel()
1717 if (drbg->ctr_handle) in drbg_fini_sym_kernel()
1718 crypto_free_skcipher(drbg->ctr_handle); in drbg_fini_sym_kernel()
1719 drbg->ctr_handle = NULL; in drbg_fini_sym_kernel()
1721 if (drbg->ctr_req) in drbg_fini_sym_kernel()
1722 skcipher_request_free(drbg->ctr_req); in drbg_fini_sym_kernel()
1723 drbg->ctr_req = NULL; in drbg_fini_sym_kernel()
1725 kfree(drbg->outscratchpadbuf); in drbg_fini_sym_kernel()
1726 drbg->outscratchpadbuf = NULL; in drbg_fini_sym_kernel()
1739 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); in drbg_init_sym_kernel()
1742 drbg->core->backend_cra_name); in drbg_init_sym_kernel()
1746 drbg->priv_data = tfm; in drbg_init_sym_kernel()
1749 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) { in drbg_init_sym_kernel()
1751 return -EINVAL; in drbg_init_sym_kernel()
1760 drbg->ctr_handle = sk_tfm; in drbg_init_sym_kernel()
1761 crypto_init_wait(&drbg->ctr_wait); in drbg_init_sym_kernel()
1767 return -ENOMEM; in drbg_init_sym_kernel()
1769 drbg->ctr_req = req; in drbg_init_sym_kernel()
1772 crypto_req_done, &drbg->ctr_wait); in drbg_init_sym_kernel()
1775 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask, in drbg_init_sym_kernel()
1777 if (!drbg->outscratchpadbuf) { in drbg_init_sym_kernel()
1779 return -ENOMEM; in drbg_init_sym_kernel()
1781 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf, in drbg_init_sym_kernel()
1784 sg_init_table(&drbg->sg_in, 1); in drbg_init_sym_kernel()
1785 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); in drbg_init_sym_kernel()
1794 (struct crypto_cipher *)drbg->priv_data; in drbg_kcapi_symsetkey()
1803 (struct crypto_cipher *)drbg->priv_data; in drbg_kcapi_sym()
1806 BUG_ON(in->len < drbg_blocklen(drbg)); in drbg_kcapi_sym()
1807 crypto_cipher_encrypt_one(tfm, outval, in->buf); in drbg_kcapi_sym()
1815 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out; in drbg_kcapi_sym_ctr()
1820 /* Use caller-provided input buffer */ in drbg_kcapi_sym_ctr()
1823 /* Use scratchpad for in-place operation */ in drbg_kcapi_sym_ctr()
1825 memset(drbg->outscratchpad, 0, scratchpad_use); in drbg_kcapi_sym_ctr()
1826 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use); in drbg_kcapi_sym_ctr()
1833 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out, in drbg_kcapi_sym_ctr()
1834 cryptlen, drbg->V); in drbg_kcapi_sym_ctr()
1835 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req), in drbg_kcapi_sym_ctr()
1836 &drbg->ctr_wait); in drbg_kcapi_sym_ctr()
1840 crypto_init_wait(&drbg->ctr_wait); in drbg_kcapi_sym_ctr()
1842 memcpy(outbuf, drbg->outscratchpad, cryptlen); in drbg_kcapi_sym_ctr()
1843 memzero_explicit(drbg->outscratchpad, cryptlen); in drbg_kcapi_sym_ctr()
1845 outlen -= cryptlen; in drbg_kcapi_sym_ctr()
1889 len = strlen(cra_driver_name) - start; in drbg_convert_tfm_core()
1903 mutex_init(&drbg->drbg_mutex); in drbg_kcapi_init()
1967 * Tests as defined in 11.3.2 in addition to the cipher tests: testing
1970 * Note: testing of failing seed source as defined in 11.3.2 is not applicable
1973 * Note 2: There is no sensible way of testing the reseed counter
1982 int ret = -EFAULT; in drbg_healthcheck_sanity()
1983 int rc = -EFAULT; in drbg_healthcheck_sanity()
1989 /* only perform test in FIPS mode */ in drbg_healthcheck_sanity()
2003 return -ENOMEM; in drbg_healthcheck_sanity()
2005 mutex_init(&drbg->drbg_mutex); in drbg_healthcheck_sanity()
2006 drbg->core = &drbg_cores[coreref]; in drbg_healthcheck_sanity()
2007 drbg->reseed_threshold = drbg_max_requests(drbg); in drbg_healthcheck_sanity()
2012 * string lengths -- in case the error handling does not succeed in drbg_healthcheck_sanity()
2053 memcpy(alg->base.cra_name, "stdrng", 6); in drbg_fill_array()
2055 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); in drbg_fill_array()
2058 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); in drbg_fill_array()
2061 memcpy(alg->base.cra_driver_name + pos, core->cra_name, in drbg_fill_array()
2062 strlen(core->cra_name)); in drbg_fill_array()
2064 alg->base.cra_priority = priority; in drbg_fill_array()
2067 * If FIPS mode enabled, the selected DRBG shall have the in drbg_fill_array()
2072 alg->base.cra_priority += 200; in drbg_fill_array()
2074 alg->base.cra_ctxsize = sizeof(struct drbg_state); in drbg_fill_array()
2075 alg->base.cra_module = THIS_MODULE; in drbg_fill_array()
2076 alg->base.cra_init = drbg_kcapi_init; in drbg_fill_array()
2077 alg->base.cra_exit = drbg_kcapi_cleanup; in drbg_fill_array()
2078 alg->generate = drbg_kcapi_random; in drbg_fill_array()
2079 alg->seed = drbg_kcapi_seed; in drbg_fill_array()
2080 alg->set_ent = drbg_kcapi_set_entropy; in drbg_fill_array()
2081 alg->seedsize = 0; in drbg_fill_array()
2094 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { in drbg_init()
2097 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); in drbg_init()
2098 return -EFAULT; in drbg_init()
2114 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); in drbg_init()
2119 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); in drbg_exit()
2135 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "