ansi_cprng.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479
  1. /*
  2. * PRNG: Pseudo Random Number Generator
  3. * Based on NIST Recommended PRNG From ANSI X9.31 Appendix A.2.4 using
  4. * AES 128 cipher
  5. *
  6. * (C) Neil Horman <nhorman@tuxdriver.com>
  7. *
  8. * This program is free software; you can redistribute it and/or modify it
  9. * under the terms of the GNU General Public License as published by the
  10. * Free Software Foundation; either version 2 of the License, or (at your
  11. * any later version.
  12. *
  13. *
  14. */
  15. #include <crypto/internal/rng.h>
  16. #include <linux/err.h>
  17. #include <linux/init.h>
  18. #include <linux/module.h>
  19. #include <linux/moduleparam.h>
  20. #include <linux/string.h>
  21. #define DEFAULT_PRNG_KEY "0123456789abcdef"
  22. #define DEFAULT_PRNG_KSZ 16
  23. #define DEFAULT_BLK_SZ 16
  24. #define DEFAULT_V_SEED "zaybxcwdveuftgsh"
  25. /*
  26. * Flags for the prng_context flags field
  27. */
  28. #define PRNG_FIXED_SIZE 0x1
  29. #define PRNG_NEED_RESET 0x2
  30. /*
  31. * Note: DT is our counter value
  32. * I is our intermediate value
  33. * V is our seed vector
  34. * See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
  35. * for implementation details
  36. */
  37. struct prng_context {
  38. spinlock_t prng_lock;
  39. unsigned char rand_data[DEFAULT_BLK_SZ];
  40. unsigned char last_rand_data[DEFAULT_BLK_SZ];
  41. unsigned char DT[DEFAULT_BLK_SZ];
  42. unsigned char I[DEFAULT_BLK_SZ];
  43. unsigned char V[DEFAULT_BLK_SZ];
  44. u32 rand_data_valid;
  45. struct crypto_cipher *tfm;
  46. u32 flags;
  47. };
  48. static int dbg;
  49. static void hexdump(char *note, unsigned char *buf, unsigned int len)
  50. {
  51. if (dbg) {
  52. printk(KERN_CRIT "%s", note);
  53. print_hex_dump(KERN_CONT, "", DUMP_PREFIX_OFFSET,
  54. 16, 1,
  55. buf, len, false);
  56. }
  57. }
  58. #define dbgprint(format, args...) do {\
  59. if (dbg)\
  60. printk(format, ##args);\
  61. } while (0)
  62. static void xor_vectors(unsigned char *in1, unsigned char *in2,
  63. unsigned char *out, unsigned int size)
  64. {
  65. int i;
  66. for (i = 0; i < size; i++)
  67. out[i] = in1[i] ^ in2[i];
  68. }
  69. /*
  70. * Returns DEFAULT_BLK_SZ bytes of random data per call
  71. * returns 0 if generation succeeded, <0 if something went wrong
  72. */
  73. static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
  74. {
  75. int i;
  76. unsigned char tmp[DEFAULT_BLK_SZ];
  77. unsigned char *output = NULL;
  78. dbgprint(KERN_CRIT "Calling _get_more_prng_bytes for context %p\n",
  79. ctx);
  80. hexdump("Input DT: ", ctx->DT, DEFAULT_BLK_SZ);
  81. hexdump("Input I: ", ctx->I, DEFAULT_BLK_SZ);
  82. hexdump("Input V: ", ctx->V, DEFAULT_BLK_SZ);
  83. /*
  84. * This algorithm is a 3 stage state machine
  85. */
  86. for (i = 0; i < 3; i++) {
  87. switch (i) {
  88. case 0:
  89. /*
  90. * Start by encrypting the counter value
  91. * This gives us an intermediate value I
  92. */
  93. memcpy(tmp, ctx->DT, DEFAULT_BLK_SZ);
  94. output = ctx->I;
  95. hexdump("tmp stage 0: ", tmp, DEFAULT_BLK_SZ);
  96. break;
  97. case 1:
  98. /*
  99. * Next xor I with our secret vector V
  100. * encrypt that result to obtain our
  101. * pseudo random data which we output
  102. */
  103. xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ);
  104. hexdump("tmp stage 1: ", tmp, DEFAULT_BLK_SZ);
  105. output = ctx->rand_data;
  106. break;
  107. case 2:
  108. /*
  109. * First check that we didn't produce the same
  110. * random data that we did last time around through this
  111. */
  112. if (!memcmp(ctx->rand_data, ctx->last_rand_data,
  113. DEFAULT_BLK_SZ)) {
  114. if (cont_test) {
  115. panic("cprng %p Failed repetition check!\n",
  116. ctx);
  117. }
  118. printk(KERN_ERR
  119. "ctx %p Failed repetition check!\n",
  120. ctx);
  121. ctx->flags |= PRNG_NEED_RESET;
  122. return -EINVAL;
  123. }
  124. memcpy(ctx->last_rand_data, ctx->rand_data,
  125. DEFAULT_BLK_SZ);
  126. /*
  127. * Lastly xor the random data with I
  128. * and encrypt that to obtain a new secret vector V
  129. */
  130. xor_vectors(ctx->rand_data, ctx->I, tmp,
  131. DEFAULT_BLK_SZ);
  132. output = ctx->V;
  133. hexdump("tmp stage 2: ", tmp, DEFAULT_BLK_SZ);
  134. break;
  135. }
  136. /* do the encryption */
  137. crypto_cipher_encrypt_one(ctx->tfm, output, tmp);
  138. }
  139. /*
  140. * Now update our DT value
  141. */
  142. for (i = DEFAULT_BLK_SZ - 1; i >= 0; i--) {
  143. ctx->DT[i] += 1;
  144. if (ctx->DT[i] != 0)
  145. break;
  146. }
  147. dbgprint("Returning new block for context %p\n", ctx);
  148. ctx->rand_data_valid = 0;
  149. hexdump("Output DT: ", ctx->DT, DEFAULT_BLK_SZ);
  150. hexdump("Output I: ", ctx->I, DEFAULT_BLK_SZ);
  151. hexdump("Output V: ", ctx->V, DEFAULT_BLK_SZ);
  152. hexdump("New Random Data: ", ctx->rand_data, DEFAULT_BLK_SZ);
  153. return 0;
  154. }
  155. /* Our exported functions */
  156. static int get_prng_bytes(char *buf, size_t nbytes, struct prng_context *ctx,
  157. int do_cont_test)
  158. {
  159. unsigned char *ptr = buf;
  160. unsigned int byte_count = (unsigned int)nbytes;
  161. int err;
  162. spin_lock_bh(&ctx->prng_lock);
  163. err = -EINVAL;
  164. if (ctx->flags & PRNG_NEED_RESET)
  165. goto done;
  166. /*
  167. * If the FIXED_SIZE flag is on, only return whole blocks of
  168. * pseudo random data
  169. */
  170. err = -EINVAL;
  171. if (ctx->flags & PRNG_FIXED_SIZE) {
  172. if (nbytes < DEFAULT_BLK_SZ)
  173. goto done;
  174. byte_count = DEFAULT_BLK_SZ;
  175. }
  176. /*
  177. * Return 0 in case of success as mandated by the kernel
  178. * crypto API interface definition.
  179. */
  180. err = 0;
  181. dbgprint(KERN_CRIT "getting %d random bytes for context %p\n",
  182. byte_count, ctx);
  183. remainder:
  184. if (ctx->rand_data_valid == DEFAULT_BLK_SZ) {
  185. if (_get_more_prng_bytes(ctx, do_cont_test) < 0) {
  186. memset(buf, 0, nbytes);
  187. err = -EINVAL;
  188. goto done;
  189. }
  190. }
  191. /*
  192. * Copy any data less than an entire block
  193. */
  194. if (byte_count < DEFAULT_BLK_SZ) {
  195. empty_rbuf:
  196. while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
  197. *ptr = ctx->rand_data[ctx->rand_data_valid];
  198. ptr++;
  199. byte_count--;
  200. ctx->rand_data_valid++;
  201. if (byte_count == 0)
  202. goto done;
  203. }
  204. }
  205. /*
  206. * Now copy whole blocks
  207. */
  208. for (; byte_count >= DEFAULT_BLK_SZ; byte_count -= DEFAULT_BLK_SZ) {
  209. if (ctx->rand_data_valid == DEFAULT_BLK_SZ) {
  210. if (_get_more_prng_bytes(ctx, do_cont_test) < 0) {
  211. memset(buf, 0, nbytes);
  212. err = -EINVAL;
  213. goto done;
  214. }
  215. }
  216. if (ctx->rand_data_valid > 0)
  217. goto empty_rbuf;
  218. memcpy(ptr, ctx->rand_data, DEFAULT_BLK_SZ);
  219. ctx->rand_data_valid += DEFAULT_BLK_SZ;
  220. ptr += DEFAULT_BLK_SZ;
  221. }
  222. /*
  223. * Now go back and get any remaining partial block
  224. */
  225. if (byte_count)
  226. goto remainder;
  227. done:
  228. spin_unlock_bh(&ctx->prng_lock);
  229. dbgprint(KERN_CRIT "returning %d from get_prng_bytes in context %p\n",
  230. err, ctx);
  231. return err;
  232. }
  233. static void free_prng_context(struct prng_context *ctx)
  234. {
  235. crypto_free_cipher(ctx->tfm);
  236. }
  237. static int reset_prng_context(struct prng_context *ctx,
  238. const unsigned char *key, size_t klen,
  239. const unsigned char *V, const unsigned char *DT)
  240. {
  241. int ret;
  242. const unsigned char *prng_key;
  243. spin_lock_bh(&ctx->prng_lock);
  244. ctx->flags |= PRNG_NEED_RESET;
  245. prng_key = (key != NULL) ? key : (unsigned char *)DEFAULT_PRNG_KEY;
  246. if (!key)
  247. klen = DEFAULT_PRNG_KSZ;
  248. if (V)
  249. memcpy(ctx->V, V, DEFAULT_BLK_SZ);
  250. else
  251. memcpy(ctx->V, DEFAULT_V_SEED, DEFAULT_BLK_SZ);
  252. if (DT)
  253. memcpy(ctx->DT, DT, DEFAULT_BLK_SZ);
  254. else
  255. memset(ctx->DT, 0, DEFAULT_BLK_SZ);
  256. memset(ctx->rand_data, 0, DEFAULT_BLK_SZ);
  257. memset(ctx->last_rand_data, 0, DEFAULT_BLK_SZ);
  258. ctx->rand_data_valid = DEFAULT_BLK_SZ;
  259. ret = crypto_cipher_setkey(ctx->tfm, prng_key, klen);
  260. if (ret) {
  261. dbgprint(KERN_CRIT "PRNG: setkey() failed flags=%x\n",
  262. crypto_cipher_get_flags(ctx->tfm));
  263. goto out;
  264. }
  265. ret = 0;
  266. ctx->flags &= ~PRNG_NEED_RESET;
  267. out:
  268. spin_unlock_bh(&ctx->prng_lock);
  269. return ret;
  270. }
  271. static int cprng_init(struct crypto_tfm *tfm)
  272. {
  273. struct prng_context *ctx = crypto_tfm_ctx(tfm);
  274. spin_lock_init(&ctx->prng_lock);
  275. ctx->tfm = crypto_alloc_cipher("aes", 0, 0);
  276. if (IS_ERR(ctx->tfm)) {
  277. dbgprint(KERN_CRIT "Failed to alloc tfm for context %p\n",
  278. ctx);
  279. return PTR_ERR(ctx->tfm);
  280. }
  281. if (reset_prng_context(ctx, NULL, DEFAULT_PRNG_KSZ, NULL, NULL) < 0)
  282. return -EINVAL;
  283. /*
  284. * after allocation, we should always force the user to reset
  285. * so they don't inadvertently use the insecure default values
  286. * without specifying them intentially
  287. */
  288. ctx->flags |= PRNG_NEED_RESET;
  289. return 0;
  290. }
  291. static void cprng_exit(struct crypto_tfm *tfm)
  292. {
  293. free_prng_context(crypto_tfm_ctx(tfm));
  294. }
  295. static int cprng_get_random(struct crypto_rng *tfm,
  296. const u8 *src, unsigned int slen,
  297. u8 *rdata, unsigned int dlen)
  298. {
  299. struct prng_context *prng = crypto_rng_ctx(tfm);
  300. return get_prng_bytes(rdata, dlen, prng, 0);
  301. }
  302. /*
  303. * This is the cprng_registered reset method the seed value is
  304. * interpreted as the tuple { V KEY DT}
  305. * V and KEY are required during reset, and DT is optional, detected
  306. * as being present by testing the length of the seed
  307. */
  308. static int cprng_reset(struct crypto_rng *tfm,
  309. const u8 *seed, unsigned int slen)
  310. {
  311. struct prng_context *prng = crypto_rng_ctx(tfm);
  312. const u8 *key = seed + DEFAULT_BLK_SZ;
  313. const u8 *dt = NULL;
  314. if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ)
  315. return -EINVAL;
  316. if (slen >= (2 * DEFAULT_BLK_SZ + DEFAULT_PRNG_KSZ))
  317. dt = key + DEFAULT_PRNG_KSZ;
  318. reset_prng_context(prng, key, DEFAULT_PRNG_KSZ, seed, dt);
  319. if (prng->flags & PRNG_NEED_RESET)
  320. return -EINVAL;
  321. return 0;
  322. }
  323. #ifdef CONFIG_CRYPTO_FIPS
  324. static int fips_cprng_get_random(struct crypto_rng *tfm,
  325. const u8 *src, unsigned int slen,
  326. u8 *rdata, unsigned int dlen)
  327. {
  328. struct prng_context *prng = crypto_rng_ctx(tfm);
  329. return get_prng_bytes(rdata, dlen, prng, 1);
  330. }
  331. static int fips_cprng_reset(struct crypto_rng *tfm,
  332. const u8 *seed, unsigned int slen)
  333. {
  334. u8 rdata[DEFAULT_BLK_SZ];
  335. const u8 *key = seed + DEFAULT_BLK_SZ;
  336. int rc;
  337. struct prng_context *prng = crypto_rng_ctx(tfm);
  338. if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ)
  339. return -EINVAL;
  340. /* fips strictly requires seed != key */
  341. if (!memcmp(seed, key, DEFAULT_PRNG_KSZ))
  342. return -EINVAL;
  343. rc = cprng_reset(tfm, seed, slen);
  344. if (!rc)
  345. goto out;
  346. /* this primes our continuity test */
  347. rc = get_prng_bytes(rdata, DEFAULT_BLK_SZ, prng, 0);
  348. prng->rand_data_valid = DEFAULT_BLK_SZ;
  349. out:
  350. return rc;
  351. }
  352. #endif
  353. static struct rng_alg rng_algs[] = { {
  354. .generate = cprng_get_random,
  355. .seed = cprng_reset,
  356. .seedsize = DEFAULT_PRNG_KSZ + 2 * DEFAULT_BLK_SZ,
  357. .base = {
  358. .cra_name = "stdrng",
  359. .cra_driver_name = "ansi_cprng",
  360. .cra_priority = 100,
  361. .cra_ctxsize = sizeof(struct prng_context),
  362. .cra_module = THIS_MODULE,
  363. .cra_init = cprng_init,
  364. .cra_exit = cprng_exit,
  365. }
  366. #ifdef CONFIG_CRYPTO_FIPS
  367. }, {
  368. .generate = fips_cprng_get_random,
  369. .seed = fips_cprng_reset,
  370. .seedsize = DEFAULT_PRNG_KSZ + 2 * DEFAULT_BLK_SZ,
  371. .base = {
  372. .cra_name = "fips(ansi_cprng)",
  373. .cra_driver_name = "fips_ansi_cprng",
  374. .cra_priority = 300,
  375. .cra_ctxsize = sizeof(struct prng_context),
  376. .cra_module = THIS_MODULE,
  377. .cra_init = cprng_init,
  378. .cra_exit = cprng_exit,
  379. }
  380. #endif
  381. } };
  382. /* Module initalization */
  383. static int __init prng_mod_init(void)
  384. {
  385. return crypto_register_rngs(rng_algs, ARRAY_SIZE(rng_algs));
  386. }
  387. static void __exit prng_mod_fini(void)
  388. {
  389. crypto_unregister_rngs(rng_algs, ARRAY_SIZE(rng_algs));
  390. }
  391. MODULE_LICENSE("GPL");
  392. MODULE_DESCRIPTION("Software Pseudo Random Number Generator");
  393. MODULE_AUTHOR("Neil Horman <nhorman@tuxdriver.com>");
  394. module_param(dbg, int, 0);
  395. MODULE_PARM_DESC(dbg, "Boolean to enable debugging (0/1 == off/on)");
  396. module_init(prng_mod_init);
  397. module_exit(prng_mod_fini);
  398. MODULE_ALIAS_CRYPTO("stdrng");
  399. MODULE_ALIAS_CRYPTO("ansi_cprng");