2014-05-31 19:21:48 +04:00
|
|
|
/*
|
|
|
|
* DRBG based on NIST SP800-90A
|
|
|
|
*
|
|
|
|
* Copyright Stephan Mueller <smueller@chronox.de>, 2014
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, and the entire permission notice in its entirety,
|
|
|
|
* including the disclaimer of warranties.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
* 3. The name of the author may not be used to endorse or promote
|
|
|
|
* products derived from this software without specific prior
|
|
|
|
* written permission.
|
|
|
|
*
|
|
|
|
* ALTERNATIVELY, this product may be distributed under the terms of
|
|
|
|
* the GNU General Public License, in which case the provisions of the GPL are
|
|
|
|
* required INSTEAD OF the above restrictions. (This clause is
|
|
|
|
* necessary due to a potential bad interaction between the GPL and
|
|
|
|
* the restrictions contained in a BSD-style copyright.)
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
|
|
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
|
|
|
|
* WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
|
|
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
|
|
|
|
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
|
|
|
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
|
|
|
* USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
|
|
|
|
* DAMAGE.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _DRBG_H
|
|
|
|
#define _DRBG_H
|
|
|
|
|
|
|
|
|
|
|
|
#include <linux/random.h>
|
|
|
|
#include <linux/scatterlist.h>
|
|
|
|
#include <crypto/hash.h>
|
2016-06-14 08:34:13 +03:00
|
|
|
#include <crypto/skcipher.h>
|
2014-05-31 19:21:48 +04:00
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/crypto.h>
|
|
|
|
#include <linux/slab.h>
|
|
|
|
#include <crypto/internal/rng.h>
|
|
|
|
#include <crypto/rng.h>
|
|
|
|
#include <linux/fips.h>
|
2015-04-18 20:36:17 +03:00
|
|
|
#include <linux/mutex.h>
|
2014-06-28 23:58:24 +04:00
|
|
|
#include <linux/list.h>
|
2015-05-25 16:09:36 +03:00
|
|
|
#include <linux/workqueue.h>
|
2014-05-31 19:21:48 +04:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Concatenation Helper and string operation helper
|
|
|
|
*
|
|
|
|
* SP800-90A requires the concatenation of different data. To avoid copying
|
|
|
|
* buffers around or allocate additional memory, the following data structure
|
|
|
|
* is used to point to the original memory with its size. In addition, it
|
|
|
|
* is used to build a linked list. The linked list defines the concatenation
|
|
|
|
* of individual buffers. The order of memory block referenced in that
|
|
|
|
* linked list determines the order of concatenation.
|
|
|
|
*/
|
|
|
|
struct drbg_string {
|
|
|
|
const unsigned char *buf;
|
|
|
|
size_t len;
|
2014-06-28 23:58:24 +04:00
|
|
|
struct list_head list;
|
2014-05-31 19:21:48 +04:00
|
|
|
};
|
|
|
|
|
|
|
|
static inline void drbg_string_fill(struct drbg_string *string,
|
|
|
|
const unsigned char *buf, size_t len)
|
|
|
|
{
|
|
|
|
string->buf = buf;
|
|
|
|
string->len = len;
|
2014-06-28 23:58:24 +04:00
|
|
|
INIT_LIST_HEAD(&string->list);
|
2014-05-31 19:21:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
struct drbg_state;
|
|
|
|
typedef uint32_t drbg_flag_t;
|
|
|
|
|
|
|
|
struct drbg_core {
|
|
|
|
drbg_flag_t flags; /* flags for the cipher */
|
|
|
|
__u8 statelen; /* maximum state length */
|
|
|
|
__u8 blocklen_bytes; /* block size of output in bytes */
|
|
|
|
char cra_name[CRYPTO_MAX_ALG_NAME]; /* mapping to kernel crypto API */
|
|
|
|
/* kernel crypto API backend cipher name */
|
|
|
|
char backend_cra_name[CRYPTO_MAX_ALG_NAME];
|
|
|
|
};
|
|
|
|
|
|
|
|
struct drbg_state_ops {
|
2014-06-28 23:58:24 +04:00
|
|
|
int (*update)(struct drbg_state *drbg, struct list_head *seed,
|
2014-05-31 19:21:48 +04:00
|
|
|
int reseed);
|
|
|
|
int (*generate)(struct drbg_state *drbg,
|
|
|
|
unsigned char *buf, unsigned int buflen,
|
2014-07-06 04:25:36 +04:00
|
|
|
struct list_head *addtl);
|
2014-05-31 19:21:48 +04:00
|
|
|
int (*crypto_init)(struct drbg_state *drbg);
|
|
|
|
int (*crypto_fini)(struct drbg_state *drbg);
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
struct drbg_test_data {
|
|
|
|
struct drbg_string *testentropy; /* TEST PARAMETER: test entropy */
|
|
|
|
};
|
|
|
|
|
crypto: drbg - prepare for more fine-grained tracking of seeding state
There are two different randomness sources the DRBGs are getting seeded
from, namely the jitterentropy source (if enabled) and get_random_bytes().
At initial DRBG seeding time during boot, the latter might not have
collected sufficient entropy for seeding itself yet and thus, the DRBG
implementation schedules a reseed work from a random_ready_callback once
that has happened. This is particularly important for the !->pr DRBG
instances, for which (almost) no further reseeds are getting triggered
during their lifetime.
Because collecting data from the jitterentropy source is a rather expensive
operation, the aforementioned asynchronously scheduled reseed work
restricts itself to get_random_bytes() only. That is, it in some sense
amends the initial DRBG seed derived from jitterentropy output at full
(estimated) entropy with fresh randomness obtained from get_random_bytes()
once that has been seeded with sufficient entropy itself.
With the advent of rng_is_initialized(), there is no real need for doing
the reseed operation from an asynchronously scheduled work anymore and a
subsequent patch will make it synchronous by moving it next to related
logic already present in drbg_generate().
However, for tracking whether a full reseed including the jitterentropy
source is required or a "partial" reseed involving only get_random_bytes()
would be sufficient already, the boolean struct drbg_state's ->seeded
member must become a tristate value.
Prepare for this by introducing the new enum drbg_seed_state and change
struct drbg_state's ->seeded member's type from bool to that type.
For facilitating review, enum drbg_seed_state is made to only contain
two members corresponding to the former ->seeded values of false and true
resp. at this point: DRBG_SEED_STATE_UNSEEDED and DRBG_SEED_STATE_FULL. A
third one for tracking the intermediate state of "seeded from jitterentropy
only" will be introduced with a subsequent patch.
There is no change in behaviour at this point.
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Müller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2021-11-15 17:18:04 +03:00
|
|
|
enum drbg_seed_state {
|
|
|
|
DRBG_SEED_STATE_UNSEEDED,
|
crypto: drbg - track whether DRBG was seeded with !rng_is_initialized()
Currently, the DRBG implementation schedules asynchronous works from
random_ready_callbacks for reseeding the DRBG instances with output from
get_random_bytes() once the latter has sufficient entropy available.
However, as the get_random_bytes() initialization state can get queried by
means of rng_is_initialized() now, there is no real need for this
asynchronous reseeding logic anymore and it's better to keep things simple
by doing it synchronously when needed instead, i.e. from drbg_generate()
once rng_is_initialized() has flipped to true.
Of course, for this to work, drbg_generate() would need some means by which
it can tell whether or not rng_is_initialized() has flipped to true since
the last seeding from get_random_bytes(). Or equivalently, whether or not
the last seed from get_random_bytes() has happened when
rng_is_initialized() was still evaluating to false.
As it currently stands, enum drbg_seed_state allows for the representation
of two different DRBG seeding states: DRBG_SEED_STATE_UNSEEDED and
DRBG_SEED_STATE_FULL. The former makes drbg_generate() to invoke a full
reseeding operation involving both, the rather expensive jitterentropy as
well as the get_random_bytes() randomness sources. The DRBG_SEED_STATE_FULL
state on the other hand implies that no reseeding at all is required for a
!->pr DRBG variant.
Introduce the new DRBG_SEED_STATE_PARTIAL state to enum drbg_seed_state for
representing the condition that a DRBG was being seeded when
rng_is_initialized() had still been false. In particular, this new state
implies that
- the given DRBG instance has been fully seeded from the jitterentropy
source (if enabled)
- and drbg_generate() is supposed to reseed from get_random_bytes()
*only* once rng_is_initialized() turns to true.
Up to now, the __drbg_seed() helper used to set the given DRBG instance's
->seeded state to constant DRBG_SEED_STATE_FULL. Introduce a new argument
allowing for the specification of the to be written ->seeded value instead.
Make the first of its two callers, drbg_seed(), determine the appropriate
value based on rng_is_initialized(). The remaining caller,
drbg_async_seed(), is known to get invoked only once rng_is_initialized()
is true, hence let it pass constant DRBG_SEED_STATE_FULL for the new
argument to __drbg_seed().
There is no change in behaviour, except for that the pr_devel() in
drbg_generate() would now report "unseeded" for ->pr DRBG instances which
had last been seeded when rng_is_initialized() was still evaluating to
false.
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Müller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2021-11-15 17:18:05 +03:00
|
|
|
DRBG_SEED_STATE_PARTIAL, /* Seeded with !rng_is_initialized() */
|
crypto: drbg - prepare for more fine-grained tracking of seeding state
There are two different randomness sources the DRBGs are getting seeded
from, namely the jitterentropy source (if enabled) and get_random_bytes().
At initial DRBG seeding time during boot, the latter might not have
collected sufficient entropy for seeding itself yet and thus, the DRBG
implementation schedules a reseed work from a random_ready_callback once
that has happened. This is particularly important for the !->pr DRBG
instances, for which (almost) no further reseeds are getting triggered
during their lifetime.
Because collecting data from the jitterentropy source is a rather expensive
operation, the aforementioned asynchronously scheduled reseed work
restricts itself to get_random_bytes() only. That is, it in some sense
amends the initial DRBG seed derived from jitterentropy output at full
(estimated) entropy with fresh randomness obtained from get_random_bytes()
once that has been seeded with sufficient entropy itself.
With the advent of rng_is_initialized(), there is no real need for doing
the reseed operation from an asynchronously scheduled work anymore and a
subsequent patch will make it synchronous by moving it next to related
logic already present in drbg_generate().
However, for tracking whether a full reseed including the jitterentropy
source is required or a "partial" reseed involving only get_random_bytes()
would be sufficient already, the boolean struct drbg_state's ->seeded
member must become a tristate value.
Prepare for this by introducing the new enum drbg_seed_state and change
struct drbg_state's ->seeded member's type from bool to that type.
For facilitating review, enum drbg_seed_state is made to only contain
two members corresponding to the former ->seeded values of false and true
resp. at this point: DRBG_SEED_STATE_UNSEEDED and DRBG_SEED_STATE_FULL. A
third one for tracking the intermediate state of "seeded from jitterentropy
only" will be introduced with a subsequent patch.
There is no change in behaviour at this point.
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Müller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2021-11-15 17:18:04 +03:00
|
|
|
DRBG_SEED_STATE_FULL,
|
|
|
|
};
|
|
|
|
|
2014-05-31 19:21:48 +04:00
|
|
|
struct drbg_state {
|
2015-04-18 20:36:17 +03:00
|
|
|
struct mutex drbg_mutex; /* lock around DRBG */
|
2014-05-31 19:21:48 +04:00
|
|
|
unsigned char *V; /* internal state 10.1.1.1 1a) */
|
2016-06-14 08:35:13 +03:00
|
|
|
unsigned char *Vbuf;
|
2014-05-31 19:21:48 +04:00
|
|
|
/* hash: static value 10.1.1.1 1b) hmac / ctr: key */
|
|
|
|
unsigned char *C;
|
2016-06-14 08:35:13 +03:00
|
|
|
unsigned char *Cbuf;
|
2014-05-31 19:21:48 +04:00
|
|
|
/* Number of RNG requests since last reseed -- 10.1.1.1 1c) */
|
|
|
|
size_t reseed_ctr;
|
crypto: drbg - reseed often if seedsource is degraded
As required by SP800-90A, the DRBG implements are reseeding threshold.
This threshold is at 2**48 (64 bit) and 2**32 bit (32 bit) as
implemented in drbg_max_requests.
With the recently introduced changes, the DRBG is now always used as a
stdrng which is initialized very early in the boot cycle. To ensure that
sufficient entropy is present, the Jitter RNG is added to even provide
entropy at early boot time.
However, the 2nd seed source, the nonblocking pool, is usually
degraded at that time. Therefore, the DRBG is seeded with the Jitter RNG
(which I believe contains good entropy, which however is questioned by
others) and is seeded with a degradded nonblocking pool. This seed is
now used for quasi the lifetime of the system (2**48 requests is a lot).
The patch now changes the reseed threshold as follows: up until the time
the DRBG obtains a seed from a fully iniitialized nonblocking pool, the
reseeding threshold is lowered such that the DRBG is forced to reseed
itself resonably often. Once it obtains the seed from a fully
initialized nonblocking pool, the reseed threshold is set to the value
required by SP800-90A.
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-06-10 04:33:37 +03:00
|
|
|
size_t reseed_threshold;
|
2014-05-31 19:21:48 +04:00
|
|
|
/* some memory the DRBG can use for its operation */
|
|
|
|
unsigned char *scratchpad;
|
2016-06-14 08:35:13 +03:00
|
|
|
unsigned char *scratchpadbuf;
|
2014-05-31 19:21:48 +04:00
|
|
|
void *priv_data; /* Cipher handle */
|
2016-06-14 08:34:13 +03:00
|
|
|
|
|
|
|
struct crypto_skcipher *ctr_handle; /* CTR mode cipher handle */
|
|
|
|
struct skcipher_request *ctr_req; /* CTR mode request handle */
|
2016-11-29 11:45:04 +03:00
|
|
|
__u8 *outscratchpadbuf; /* CTR mode output scratchpad */
|
|
|
|
__u8 *outscratchpad; /* CTR mode aligned outbuf */
|
2017-10-18 10:00:41 +03:00
|
|
|
struct crypto_wait ctr_wait; /* CTR mode async wait obj */
|
2018-07-10 18:56:33 +03:00
|
|
|
struct scatterlist sg_in, sg_out; /* CTR mode SGLs */
|
2016-06-14 08:34:13 +03:00
|
|
|
|
crypto: drbg - prepare for more fine-grained tracking of seeding state
There are two different randomness sources the DRBGs are getting seeded
from, namely the jitterentropy source (if enabled) and get_random_bytes().
At initial DRBG seeding time during boot, the latter might not have
collected sufficient entropy for seeding itself yet and thus, the DRBG
implementation schedules a reseed work from a random_ready_callback once
that has happened. This is particularly important for the !->pr DRBG
instances, for which (almost) no further reseeds are getting triggered
during their lifetime.
Because collecting data from the jitterentropy source is a rather expensive
operation, the aforementioned asynchronously scheduled reseed work
restricts itself to get_random_bytes() only. That is, it in some sense
amends the initial DRBG seed derived from jitterentropy output at full
(estimated) entropy with fresh randomness obtained from get_random_bytes()
once that has been seeded with sufficient entropy itself.
With the advent of rng_is_initialized(), there is no real need for doing
the reseed operation from an asynchronously scheduled work anymore and a
subsequent patch will make it synchronous by moving it next to related
logic already present in drbg_generate().
However, for tracking whether a full reseed including the jitterentropy
source is required or a "partial" reseed involving only get_random_bytes()
would be sufficient already, the boolean struct drbg_state's ->seeded
member must become a tristate value.
Prepare for this by introducing the new enum drbg_seed_state and change
struct drbg_state's ->seeded member's type from bool to that type.
For facilitating review, enum drbg_seed_state is made to only contain
two members corresponding to the former ->seeded values of false and true
resp. at this point: DRBG_SEED_STATE_UNSEEDED and DRBG_SEED_STATE_FULL. A
third one for tracking the intermediate state of "seeded from jitterentropy
only" will be introduced with a subsequent patch.
There is no change in behaviour at this point.
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Müller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2021-11-15 17:18:04 +03:00
|
|
|
enum drbg_seed_state seeded; /* DRBG fully seeded? */
|
crypto: drbg - reseed 'nopr' drbgs periodically from get_random_bytes()
In contrast to the fully prediction resistant 'pr' DRBGs, the 'nopr'
variants get seeded once at boot and reseeded only rarely thereafter,
namely only after 2^20 requests have been served each. AFAICT, this
reseeding based on the number of requests served is primarily motivated
by information theoretic considerations, c.f. NIST SP800-90Ar1,
sec. 8.6.8 ("Reseeding").
However, given the relatively large seed lifetime of 2^20 requests, the
'nopr' DRBGs can hardly be considered to provide any prediction resistance
whatsoever, i.e. to protect against threats like side channel leaks of the
internal DRBG state (think e.g. leaked VM snapshots). This is expected and
completely in line with the 'nopr' naming, but as e.g. the
"drbg_nopr_hmac_sha512" implementation is potentially being used for
providing the "stdrng" and thus, the crypto_default_rng serving the
in-kernel crypto, it would certainly be desirable to achieve at least the
same level of prediction resistance as get_random_bytes() does.
Note that the chacha20 rngs underlying get_random_bytes() get reseeded
every CRNG_RESEED_INTERVAL == 5min: the secondary, per-NUMA node rngs from
the primary one and the primary rng in turn from the entropy pool, provided
sufficient entropy is available.
The 'nopr' DRBGs do draw randomness from get_random_bytes() for their
initial seed already, so making them to reseed themselves periodically from
get_random_bytes() in order to let them benefit from the latter's
prediction resistance is not such a big change conceptually.
In principle, it would have been also possible to make the 'nopr' DRBGs to
periodically invoke a full reseeding operation, i.e. to also consider the
jitterentropy source (if enabled) in addition to get_random_bytes() for the
seed value. However, get_random_bytes() is relatively lightweight as
compared to the jitterentropy generation process and thus, even though the
'nopr' reseeding is supposed to get invoked infrequently, it's IMO still
worthwhile to avoid occasional latency spikes for drbg_generate() and
stick to get_random_bytes() only. As an additional remark, note that
drawing randomness from the non-SP800-90B-conforming get_random_bytes()
only won't adversely affect SP800-90A conformance either: the very same is
being done during boot via drbg_seed_from_random() already once
rng_is_initialized() flips to true and it follows that if the DRBG
implementation does conform to SP800-90A now, it will continue to do so.
Make the 'nopr' DRBGs to reseed themselves periodically from
get_random_bytes() every CRNG_RESEED_INTERVAL == 5min.
More specifically, introduce a new member ->last_seed_time to struct
drbg_state for recording in units of jiffies when the last seeding
operation had taken place. Make __drbg_seed() maintain it and let
drbg_generate() invoke a reseed from get_random_bytes() via
drbg_seed_from_random() if more than 5min have passed by since the last
seeding operation. Be careful to not to reseed if in testing mode though,
or otherwise the drbg related tests in crypto/testmgr.c would fail to
reproduce the expected output.
In order to keep the formatting clean in drbg_generate() wrap the logic
for deciding whether or not a reseed is due in a new helper,
drbg_nopr_reseed_interval_elapsed().
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Müller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2021-11-15 17:18:09 +03:00
|
|
|
unsigned long last_seed_time;
|
2014-05-31 19:21:48 +04:00
|
|
|
bool pr; /* Prediction resistance enabled? */
|
2019-05-08 17:19:24 +03:00
|
|
|
bool fips_primed; /* Continuous test primed? */
|
|
|
|
unsigned char *prev; /* FIPS 140-2 continuous test value */
|
2015-05-25 16:09:59 +03:00
|
|
|
struct crypto_rng *jent;
|
2014-05-31 19:21:48 +04:00
|
|
|
const struct drbg_state_ops *d_ops;
|
|
|
|
const struct drbg_core *core;
|
2015-04-21 05:46:41 +03:00
|
|
|
struct drbg_string test_data;
|
2014-05-31 19:21:48 +04:00
|
|
|
};
|
|
|
|
|
|
|
|
static inline __u8 drbg_statelen(struct drbg_state *drbg)
|
|
|
|
{
|
|
|
|
if (drbg && drbg->core)
|
|
|
|
return drbg->core->statelen;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline __u8 drbg_blocklen(struct drbg_state *drbg)
|
|
|
|
{
|
|
|
|
if (drbg && drbg->core)
|
|
|
|
return drbg->core->blocklen_bytes;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline __u8 drbg_keylen(struct drbg_state *drbg)
|
|
|
|
{
|
|
|
|
if (drbg && drbg->core)
|
|
|
|
return (drbg->core->statelen - drbg->core->blocklen_bytes);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline size_t drbg_max_request_bytes(struct drbg_state *drbg)
|
|
|
|
{
|
2014-08-17 19:41:10 +04:00
|
|
|
/* SP800-90A requires the limit 2**19 bits, but we return bytes */
|
|
|
|
return (1 << 16);
|
2014-05-31 19:21:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
static inline size_t drbg_max_addtl(struct drbg_state *drbg)
|
|
|
|
{
|
2014-08-17 19:41:10 +04:00
|
|
|
/* SP800-90A requires 2**35 bytes additional info str / pers str */
|
2014-08-26 12:29:45 +04:00
|
|
|
#if (__BITS_PER_LONG == 32)
|
|
|
|
/*
|
|
|
|
* SP800-90A allows smaller maximum numbers to be returned -- we
|
|
|
|
* return SIZE_MAX - 1 to allow the verification of the enforcement
|
|
|
|
* of this value in drbg_healthcheck_sanity.
|
|
|
|
*/
|
|
|
|
return (SIZE_MAX - 1);
|
|
|
|
#else
|
2014-08-17 19:41:10 +04:00
|
|
|
return (1UL<<35);
|
2014-08-26 12:29:45 +04:00
|
|
|
#endif
|
2014-05-31 19:21:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
static inline size_t drbg_max_requests(struct drbg_state *drbg)
|
|
|
|
{
|
2014-08-17 19:41:10 +04:00
|
|
|
/* SP800-90A requires 2**48 maximum requests before reseeding */
|
crypto: drbg - always seeded with SP800-90B compliant noise source
As the Jitter RNG provides an SP800-90B compliant noise source, use this
noise source always for the (re)seeding of the DRBG.
To make sure the DRBG is always properly seeded, the reseed threshold
is reduced to 1<<20 generate operations.
The Jitter RNG may report health test failures. Such health test
failures are treated as transient as follows. The DRBG will not reseed
from the Jitter RNG (but from get_random_bytes) in case of a health
test failure. Though, it produces the requested random number.
The Jitter RNG has a failure counter where at most 1024 consecutive
resets due to a health test failure are considered as a transient error.
If more consecutive resets are required, the Jitter RNG will return
a permanent error which is returned to the caller by the DRBG. With this
approach, the worst case reseed threshold is significantly lower than
mandated by SP800-90A in order to seed with an SP800-90B noise source:
the DRBG has a reseed threshold of 2^20 * 1024 = 2^30 generate requests.
Yet, in case of a transient Jitter RNG health test failure, the DRBG is
seeded with the data obtained from get_random_bytes.
However, if the Jitter RNG fails during the initial seeding operation
even due to a health test error, the DRBG will send an error to the
caller because at that time, the DRBG has received no seed that is
SP800-90B compliant.
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2020-04-17 22:34:03 +03:00
|
|
|
return (1<<20);
|
2014-05-31 19:21:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This is a wrapper to the kernel crypto API function of
|
2015-04-21 05:46:41 +03:00
|
|
|
* crypto_rng_generate() to allow the caller to provide additional data.
|
2014-05-31 19:21:48 +04:00
|
|
|
*
|
|
|
|
* @drng DRBG handle -- see crypto_rng_get_bytes
|
|
|
|
* @outbuf output buffer -- see crypto_rng_get_bytes
|
|
|
|
* @outlen length of output buffer -- see crypto_rng_get_bytes
|
|
|
|
* @addtl_input additional information string input buffer
|
|
|
|
* @addtllen length of additional information string buffer
|
|
|
|
*
|
|
|
|
* return
|
|
|
|
* see crypto_rng_get_bytes
|
|
|
|
*/
|
|
|
|
static inline int crypto_drbg_get_bytes_addtl(struct crypto_rng *drng,
|
|
|
|
unsigned char *outbuf, unsigned int outlen,
|
|
|
|
struct drbg_string *addtl)
|
|
|
|
{
|
2015-04-21 05:46:41 +03:00
|
|
|
return crypto_rng_generate(drng, addtl->buf, addtl->len,
|
|
|
|
outbuf, outlen);
|
2014-05-31 19:21:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* TEST code
|
|
|
|
*
|
|
|
|
* This is a wrapper to the kernel crypto API function of
|
2015-04-21 05:46:41 +03:00
|
|
|
* crypto_rng_generate() to allow the caller to provide additional data and
|
2014-05-31 19:21:48 +04:00
|
|
|
* allow furnishing of test_data
|
|
|
|
*
|
|
|
|
* @drng DRBG handle -- see crypto_rng_get_bytes
|
|
|
|
* @outbuf output buffer -- see crypto_rng_get_bytes
|
|
|
|
* @outlen length of output buffer -- see crypto_rng_get_bytes
|
|
|
|
* @addtl_input additional information string input buffer
|
|
|
|
* @addtllen length of additional information string buffer
|
|
|
|
* @test_data filled test data
|
|
|
|
*
|
|
|
|
* return
|
|
|
|
* see crypto_rng_get_bytes
|
|
|
|
*/
|
|
|
|
static inline int crypto_drbg_get_bytes_addtl_test(struct crypto_rng *drng,
|
|
|
|
unsigned char *outbuf, unsigned int outlen,
|
|
|
|
struct drbg_string *addtl,
|
|
|
|
struct drbg_test_data *test_data)
|
|
|
|
{
|
2015-04-21 05:46:41 +03:00
|
|
|
crypto_rng_set_entropy(drng, test_data->testentropy->buf,
|
|
|
|
test_data->testentropy->len);
|
|
|
|
return crypto_rng_generate(drng, addtl->buf, addtl->len,
|
|
|
|
outbuf, outlen);
|
2014-05-31 19:21:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* TEST code
|
|
|
|
*
|
|
|
|
* This is a wrapper to the kernel crypto API function of
|
|
|
|
* crypto_rng_reset() to allow the caller to provide test_data
|
|
|
|
*
|
|
|
|
* @drng DRBG handle -- see crypto_rng_reset
|
|
|
|
* @pers personalization string input buffer
|
|
|
|
* @perslen length of additional information string buffer
|
|
|
|
* @test_data filled test data
|
|
|
|
*
|
|
|
|
* return
|
|
|
|
* see crypto_rng_reset
|
|
|
|
*/
|
|
|
|
static inline int crypto_drbg_reset_test(struct crypto_rng *drng,
|
|
|
|
struct drbg_string *pers,
|
|
|
|
struct drbg_test_data *test_data)
|
|
|
|
{
|
2015-04-21 05:46:41 +03:00
|
|
|
crypto_rng_set_entropy(drng, test_data->testentropy->buf,
|
|
|
|
test_data->testentropy->len);
|
|
|
|
return crypto_rng_reset(drng, pers->buf, pers->len);
|
2014-05-31 19:21:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/* DRBG type flags */
|
|
|
|
#define DRBG_CTR ((drbg_flag_t)1<<0)
|
|
|
|
#define DRBG_HMAC ((drbg_flag_t)1<<1)
|
|
|
|
#define DRBG_HASH ((drbg_flag_t)1<<2)
|
|
|
|
#define DRBG_TYPE_MASK (DRBG_CTR | DRBG_HMAC | DRBG_HASH)
|
|
|
|
/* DRBG strength flags */
|
|
|
|
#define DRBG_STRENGTH128 ((drbg_flag_t)1<<3)
|
|
|
|
#define DRBG_STRENGTH192 ((drbg_flag_t)1<<4)
|
|
|
|
#define DRBG_STRENGTH256 ((drbg_flag_t)1<<5)
|
|
|
|
#define DRBG_STRENGTH_MASK (DRBG_STRENGTH128 | DRBG_STRENGTH192 | \
|
|
|
|
DRBG_STRENGTH256)
|
|
|
|
|
|
|
|
enum drbg_prefixes {
|
|
|
|
DRBG_PREFIX0 = 0x00,
|
|
|
|
DRBG_PREFIX1,
|
|
|
|
DRBG_PREFIX2,
|
|
|
|
DRBG_PREFIX3
|
|
|
|
};
|
|
|
|
|
|
|
|
#endif /* _DRBG_H */
|