Gitiles
Code Review Sign In
android-review.linaro.org / kernel / hikey-linaro / 3e16f959b93fd323e1d1a37760e10f39fa3007bb / . / include / crypto / drbg.h
blob: b507c5b6020a662f692530d22d226d837039c8fb [file] [log] [blame]
Stephan Mueller3e16f952014-05-31 17:21:48 +0200[diff] [blame^]1/*
2 * DRBG based on NIST SP800-90A
3 *
4 * Copyright Stephan Mueller <smueller@chronox.de>, 2014
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, and the entire permission notice in its entirety,
11 * including the disclaimer of warranties.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. The name of the author may not be used to endorse or promote
16 * products derived from this software without specific prior
17 * written permission.
18 *
19 * ALTERNATIVELY, this product may be distributed under the terms of
20 * the GNU General Public License, in which case the provisions of the GPL are
21 * required INSTEAD OF the above restrictions. (This clause is
22 * necessary due to a potential bad interaction between the GPL and
23 * the restrictions contained in a BSD-style copyright.)
24 *
25 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
26 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
28 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
29 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
30 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
31 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
32 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
33 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
35 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
36 * DAMAGE.
37 */
38
39#ifndef _DRBG_H
40#define _DRBG_H
41
42
43#include <linux/random.h>
44#include <linux/scatterlist.h>
45#include <crypto/hash.h>
46#include <linux/module.h>
47#include <linux/crypto.h>
48#include <linux/slab.h>
49#include <crypto/internal/rng.h>
50#include <crypto/rng.h>
51#include <linux/fips.h>
52#include <linux/spinlock.h>
53
54/*
55 * Concatenation Helper and string operation helper
56 *
57 * SP800-90A requires the concatenation of different data. To avoid copying
58 * buffers around or allocate additional memory, the following data structure
59 * is used to point to the original memory with its size. In addition, it
60 * is used to build a linked list. The linked list defines the concatenation
61 * of individual buffers. The order of memory block referenced in that
62 * linked list determines the order of concatenation.
63 */
64struct drbg_string {
65 const unsigned char *buf;
66 size_t len;
67 struct drbg_string *next;
68};
69
70static inline void drbg_string_fill(struct drbg_string *string,
71 const unsigned char *buf, size_t len)
72{
73 string->buf = buf;
74 string->len = len;
75 string->next = NULL;
76}
77
78struct drbg_state;
79typedef uint32_t drbg_flag_t;
80
81struct drbg_core {
82 drbg_flag_t flags; /* flags for the cipher */
83 __u8 statelen; /* maximum state length */
84 /*
85 * maximum length of personalization string or additional input
86 * string -- exponent for base 2
87 */
88 __u8 max_addtllen;
89 /* maximum bits per RNG request -- exponent for base 2*/
90 __u8 max_bits;
91 /* maximum number of requests -- exponent for base 2 */
92 __u8 max_req;
93 __u8 blocklen_bytes; /* block size of output in bytes */
94 char cra_name[CRYPTO_MAX_ALG_NAME]; /* mapping to kernel crypto API */
95 /* kernel crypto API backend cipher name */
96 char backend_cra_name[CRYPTO_MAX_ALG_NAME];
97};
98
99struct drbg_state_ops {
100 int (*update)(struct drbg_state *drbg, struct drbg_string *seed,
101 int reseed);
102 int (*generate)(struct drbg_state *drbg,
103 unsigned char *buf, unsigned int buflen,
104 struct drbg_string *addtl);
105 int (*crypto_init)(struct drbg_state *drbg);
106 int (*crypto_fini)(struct drbg_state *drbg);
107
108};
109
110struct drbg_test_data {
111 struct drbg_string *testentropy; /* TEST PARAMETER: test entropy */
112};
113
114struct drbg_state {
115 spinlock_t drbg_lock; /* lock around DRBG */
116 unsigned char *V; /* internal state 10.1.1.1 1a) */
117 /* hash: static value 10.1.1.1 1b) hmac / ctr: key */
118 unsigned char *C;
119 /* Number of RNG requests since last reseed -- 10.1.1.1 1c) */
120 size_t reseed_ctr;
121 /* some memory the DRBG can use for its operation */
122 unsigned char *scratchpad;
123 void *priv_data; /* Cipher handle */
124 bool seeded; /* DRBG fully seeded? */
125 bool pr; /* Prediction resistance enabled? */
126#ifdef CONFIG_CRYPTO_FIPS
127 bool fips_primed; /* Continuous test primed? */
128 unsigned char *prev; /* FIPS 140-2 continuous test value */
129#endif
130 const struct drbg_state_ops *d_ops;
131 const struct drbg_core *core;
132 struct drbg_test_data *test_data;
133};
134
135static inline __u8 drbg_statelen(struct drbg_state *drbg)
136{
137 if (drbg && drbg->core)
138 return drbg->core->statelen;
139 return 0;
140}
141
142static inline __u8 drbg_blocklen(struct drbg_state *drbg)
143{
144 if (drbg && drbg->core)
145 return drbg->core->blocklen_bytes;
146 return 0;
147}
148
149static inline __u8 drbg_keylen(struct drbg_state *drbg)
150{
151 if (drbg && drbg->core)
152 return (drbg->core->statelen - drbg->core->blocklen_bytes);
153 return 0;
154}
155
156static inline size_t drbg_max_request_bytes(struct drbg_state *drbg)
157{
158 /* max_bits is in bits, but buflen is in bytes */
159 return (1 << (drbg->core->max_bits - 3));
160}
161
162static inline size_t drbg_max_addtl(struct drbg_state *drbg)
163{
164 return (1UL<<(drbg->core->max_addtllen));
165}
166
167static inline size_t drbg_max_requests(struct drbg_state *drbg)
168{
169 return (1UL<<(drbg->core->max_req));
170}
171
172/*
173 * kernel crypto API input data structure for DRBG generate in case dlen
174 * is set to 0
175 */
176struct drbg_gen {
177 unsigned char *outbuf; /* output buffer for random numbers */
178 unsigned int outlen; /* size of output buffer */
179 struct drbg_string *addtl; /* additional information string */
180 struct drbg_test_data *test_data; /* test data */
181};
182
183/*
184 * This is a wrapper to the kernel crypto API function of
185 * crypto_rng_get_bytes() to allow the caller to provide additional data.
186 *
187 * @drng DRBG handle -- see crypto_rng_get_bytes
188 * @outbuf output buffer -- see crypto_rng_get_bytes
189 * @outlen length of output buffer -- see crypto_rng_get_bytes
190 * @addtl_input additional information string input buffer
191 * @addtllen length of additional information string buffer
192 *
193 * return
194 * see crypto_rng_get_bytes
195 */
196static inline int crypto_drbg_get_bytes_addtl(struct crypto_rng *drng,
197 unsigned char *outbuf, unsigned int outlen,
198 struct drbg_string *addtl)
199{
200 int ret;
201 struct drbg_gen genbuf;
202 genbuf.outbuf = outbuf;
203 genbuf.outlen = outlen;
204 genbuf.addtl = addtl;
205 genbuf.test_data = NULL;
206 ret = crypto_rng_get_bytes(drng, (u8 *)&genbuf, 0);
207 return ret;
208}
209
210/*
211 * TEST code
212 *
213 * This is a wrapper to the kernel crypto API function of
214 * crypto_rng_get_bytes() to allow the caller to provide additional data and
215 * allow furnishing of test_data
216 *
217 * @drng DRBG handle -- see crypto_rng_get_bytes
218 * @outbuf output buffer -- see crypto_rng_get_bytes
219 * @outlen length of output buffer -- see crypto_rng_get_bytes
220 * @addtl_input additional information string input buffer
221 * @addtllen length of additional information string buffer
222 * @test_data filled test data
223 *
224 * return
225 * see crypto_rng_get_bytes
226 */
227static inline int crypto_drbg_get_bytes_addtl_test(struct crypto_rng *drng,
228 unsigned char *outbuf, unsigned int outlen,
229 struct drbg_string *addtl,
230 struct drbg_test_data *test_data)
231{
232 int ret;
233 struct drbg_gen genbuf;
234 genbuf.outbuf = outbuf;
235 genbuf.outlen = outlen;
236 genbuf.addtl = addtl;
237 genbuf.test_data = test_data;
238 ret = crypto_rng_get_bytes(drng, (u8 *)&genbuf, 0);
239 return ret;
240}
241
242/*
243 * TEST code
244 *
245 * This is a wrapper to the kernel crypto API function of
246 * crypto_rng_reset() to allow the caller to provide test_data
247 *
248 * @drng DRBG handle -- see crypto_rng_reset
249 * @pers personalization string input buffer
250 * @perslen length of additional information string buffer
251 * @test_data filled test data
252 *
253 * return
254 * see crypto_rng_reset
255 */
256static inline int crypto_drbg_reset_test(struct crypto_rng *drng,
257 struct drbg_string *pers,
258 struct drbg_test_data *test_data)
259{
260 int ret;
261 struct drbg_gen genbuf;
262 genbuf.outbuf = NULL;
263 genbuf.outlen = 0;
264 genbuf.addtl = pers;
265 genbuf.test_data = test_data;
266 ret = crypto_rng_reset(drng, (u8 *)&genbuf, 0);
267 return ret;
268}
269
270/* DRBG type flags */
271#define DRBG_CTR ((drbg_flag_t)1<<0)
272#define DRBG_HMAC ((drbg_flag_t)1<<1)
273#define DRBG_HASH ((drbg_flag_t)1<<2)
274#define DRBG_TYPE_MASK (DRBG_CTR | DRBG_HMAC | DRBG_HASH)
275/* DRBG strength flags */
276#define DRBG_STRENGTH128 ((drbg_flag_t)1<<3)
277#define DRBG_STRENGTH192 ((drbg_flag_t)1<<4)
278#define DRBG_STRENGTH256 ((drbg_flag_t)1<<5)
279#define DRBG_STRENGTH_MASK (DRBG_STRENGTH128 | DRBG_STRENGTH192 | \
280 DRBG_STRENGTH256)
281
282enum drbg_prefixes {
283 DRBG_PREFIX0 = 0x00,
284 DRBG_PREFIX1,
285 DRBG_PREFIX2,
286 DRBG_PREFIX3
287};
288
289#endif /* _DRBG_H */