1
by Ben Collins, Ben Collins
[ Ben Collins ] |
1 |
/*
|
2 |
* PRNG: Pseudo Random Number Generator
|
|
3 |
* Based on NIST Recommended PRNG From ANSI X9.31 Appendix A.2.4 using
|
|
4 |
* AES 128 cipher
|
|
5 |
*
|
|
6 |
* (C) Neil Horman <nhorman@tuxdriver.com>
|
|
7 |
*
|
|
8 |
* This program is free software; you can redistribute it and/or modify it
|
|
9 |
* under the terms of the GNU General Public License as published by the
|
|
10 |
* Free Software Foundation; either version 2 of the License, or (at your
|
|
11 |
* any later version.
|
|
12 |
*
|
|
13 |
*
|
|
14 |
*/
|
|
15 |
||
16 |
#include <crypto/internal/rng.h> |
|
17 |
#include <linux/err.h> |
|
18 |
#include <linux/init.h> |
|
19 |
#include <linux/module.h> |
|
20 |
#include <linux/moduleparam.h> |
|
21 |
#include <linux/string.h> |
|
22 |
||
23 |
#include "internal.h" |
|
24 |
||
25 |
#define DEFAULT_PRNG_KEY "0123456789abcdef"
|
|
26 |
#define DEFAULT_PRNG_KSZ 16
|
|
27 |
#define DEFAULT_BLK_SZ 16
|
|
28 |
#define DEFAULT_V_SEED "zaybxcwdveuftgsh"
|
|
29 |
||
30 |
/*
|
|
31 |
* Flags for the prng_context flags field
|
|
32 |
*/
|
|
33 |
||
34 |
#define PRNG_FIXED_SIZE 0x1
|
|
35 |
#define PRNG_NEED_RESET 0x2
|
|
36 |
||
37 |
/*
|
|
38 |
* Note: DT is our counter value
|
|
39 |
* I is our intermediate value
|
|
40 |
* V is our seed vector
|
|
41 |
* See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
|
|
42 |
* for implementation details
|
|
43 |
*/
|
|
44 |
||
45 |
||
46 |
struct prng_context { |
|
47 |
spinlock_t prng_lock; |
|
48 |
unsigned char rand_data[DEFAULT_BLK_SZ]; |
|
49 |
unsigned char last_rand_data[DEFAULT_BLK_SZ]; |
|
50 |
unsigned char DT[DEFAULT_BLK_SZ]; |
|
51 |
unsigned char I[DEFAULT_BLK_SZ]; |
|
52 |
unsigned char V[DEFAULT_BLK_SZ]; |
|
53 |
u32 rand_data_valid; |
|
54 |
struct crypto_cipher *tfm; |
|
55 |
u32 flags; |
|
56 |
};
|
|
57 |
||
58 |
static int dbg; |
|
59 |
||
60 |
static void hexdump(char *note, unsigned char *buf, unsigned int len) |
|
61 |
{
|
|
62 |
if (dbg) { |
|
63 |
printk(KERN_CRIT "%s", note); |
|
64 |
print_hex_dump(KERN_CONT, "", DUMP_PREFIX_OFFSET, |
|
65 |
16, 1, |
|
66 |
buf, len, false); |
|
67 |
}
|
|
68 |
}
|
|
69 |
||
70 |
#define dbgprint(format, args...) do {\
|
|
71 |
if (dbg)\
|
|
72 |
printk(format, ##args);\
|
|
73 |
} while (0)
|
|
74 |
||
75 |
static void xor_vectors(unsigned char *in1, unsigned char *in2, |
|
76 |
unsigned char *out, unsigned int size) |
|
77 |
{
|
|
78 |
int i; |
|
79 |
||
80 |
for (i = 0; i < size; i++) |
|
81 |
out[i] = in1[i] ^ in2[i]; |
|
82 |
||
83 |
}
|
|
84 |
/*
|
|
85 |
* Returns DEFAULT_BLK_SZ bytes of random data per call
|
|
86 |
* returns 0 if generation succeeded, <0 if something went wrong
|
|
87 |
*/
|
|
88 |
static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test) |
|
89 |
{
|
|
90 |
int i; |
|
91 |
unsigned char tmp[DEFAULT_BLK_SZ]; |
|
92 |
unsigned char *output = NULL; |
|
93 |
||
94 |
||
95 |
dbgprint(KERN_CRIT "Calling _get_more_prng_bytes for context %p\n", |
|
96 |
ctx); |
|
97 |
||
98 |
hexdump("Input DT: ", ctx->DT, DEFAULT_BLK_SZ); |
|
99 |
hexdump("Input I: ", ctx->I, DEFAULT_BLK_SZ); |
|
100 |
hexdump("Input V: ", ctx->V, DEFAULT_BLK_SZ); |
|
101 |
||
102 |
/*
|
|
103 |
* This algorithm is a 3 stage state machine
|
|
104 |
*/
|
|
105 |
for (i = 0; i < 3; i++) { |
|
106 |
||
107 |
switch (i) { |
|
108 |
case 0: |
|
109 |
/*
|
|
110 |
* Start by encrypting the counter value
|
|
111 |
* This gives us an intermediate value I
|
|
112 |
*/
|
|
113 |
memcpy(tmp, ctx->DT, DEFAULT_BLK_SZ); |
|
114 |
output = ctx->I; |
|
115 |
hexdump("tmp stage 0: ", tmp, DEFAULT_BLK_SZ); |
|
116 |
break; |
|
117 |
case 1: |
|
118 |
||
119 |
/*
|
|
120 |
* Next xor I with our secret vector V
|
|
121 |
* encrypt that result to obtain our
|
|
122 |
* pseudo random data which we output
|
|
123 |
*/
|
|
124 |
xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ); |
|
125 |
hexdump("tmp stage 1: ", tmp, DEFAULT_BLK_SZ); |
|
126 |
output = ctx->rand_data; |
|
127 |
break; |
|
128 |
case 2: |
|
129 |
/*
|
|
130 |
* First check that we didn't produce the same
|
|
131 |
* random data that we did last time around through this
|
|
132 |
*/
|
|
133 |
if (!memcmp(ctx->rand_data, ctx->last_rand_data, |
|
134 |
DEFAULT_BLK_SZ)) { |
|
135 |
if (cont_test) { |
|
136 |
panic("cprng %p Failed repetition check!\n", |
|
137 |
ctx); |
|
138 |
}
|
|
139 |
||
140 |
printk(KERN_ERR |
|
141 |
"ctx %p Failed repetition check!\n", |
|
142 |
ctx); |
|
143 |
||
144 |
ctx->flags |= PRNG_NEED_RESET; |
|
145 |
return -EINVAL; |
|
146 |
}
|
|
147 |
memcpy(ctx->last_rand_data, ctx->rand_data, |
|
148 |
DEFAULT_BLK_SZ); |
|
149 |
||
150 |
/*
|
|
151 |
* Lastly xor the random data with I
|
|
152 |
* and encrypt that to obtain a new secret vector V
|
|
153 |
*/
|
|
154 |
xor_vectors(ctx->rand_data, ctx->I, tmp, |
|
155 |
DEFAULT_BLK_SZ); |
|
156 |
output = ctx->V; |
|
157 |
hexdump("tmp stage 2: ", tmp, DEFAULT_BLK_SZ); |
|
158 |
break; |
|
159 |
}
|
|
160 |
||
161 |
||
162 |
/* do the encryption */
|
|
163 |
crypto_cipher_encrypt_one(ctx->tfm, output, tmp); |
|
164 |
||
165 |
}
|
|
166 |
||
167 |
/*
|
|
168 |
* Now update our DT value
|
|
169 |
*/
|
|
170 |
for (i = DEFAULT_BLK_SZ - 1; i >= 0; i--) { |
|
171 |
ctx->DT[i] += 1; |
|
172 |
if (ctx->DT[i] != 0) |
|
173 |
break; |
|
174 |
}
|
|
175 |
||
176 |
dbgprint("Returning new block for context %p\n", ctx); |
|
177 |
ctx->rand_data_valid = 0; |
|
178 |
||
179 |
hexdump("Output DT: ", ctx->DT, DEFAULT_BLK_SZ); |
|
180 |
hexdump("Output I: ", ctx->I, DEFAULT_BLK_SZ); |
|
181 |
hexdump("Output V: ", ctx->V, DEFAULT_BLK_SZ); |
|
182 |
hexdump("New Random Data: ", ctx->rand_data, DEFAULT_BLK_SZ); |
|
183 |
||
184 |
return 0; |
|
185 |
}
|
|
186 |
||
187 |
/* Our exported functions */
|
|
188 |
static int get_prng_bytes(char *buf, size_t nbytes, struct prng_context *ctx, |
|
189 |
int do_cont_test) |
|
190 |
{
|
|
191 |
unsigned char *ptr = buf; |
|
192 |
unsigned int byte_count = (unsigned int)nbytes; |
|
193 |
int err; |
|
194 |
||
195 |
||
196 |
spin_lock_bh(&ctx->prng_lock); |
|
197 |
||
198 |
err = -EINVAL; |
|
199 |
if (ctx->flags & PRNG_NEED_RESET) |
|
200 |
goto done; |
|
201 |
||
202 |
/*
|
|
203 |
* If the FIXED_SIZE flag is on, only return whole blocks of
|
|
204 |
* pseudo random data
|
|
205 |
*/
|
|
206 |
err = -EINVAL; |
|
207 |
if (ctx->flags & PRNG_FIXED_SIZE) { |
|
208 |
if (nbytes < DEFAULT_BLK_SZ) |
|
209 |
goto done; |
|
210 |
byte_count = DEFAULT_BLK_SZ; |
|
211 |
}
|
|
212 |
||
213 |
err = byte_count; |
|
214 |
||
215 |
dbgprint(KERN_CRIT "getting %d random bytes for context %p\n", |
|
216 |
byte_count, ctx); |
|
217 |
||
218 |
||
219 |
remainder: |
|
220 |
if (ctx->rand_data_valid == DEFAULT_BLK_SZ) { |
|
221 |
if (_get_more_prng_bytes(ctx, do_cont_test) < 0) { |
|
222 |
memset(buf, 0, nbytes); |
|
223 |
err = -EINVAL; |
|
224 |
goto done; |
|
225 |
}
|
|
226 |
}
|
|
227 |
||
228 |
/*
|
|
229 |
* Copy any data less than an entire block
|
|
230 |
*/
|
|
231 |
if (byte_count < DEFAULT_BLK_SZ) { |
|
232 |
empty_rbuf: |
|
233 |
for (; ctx->rand_data_valid < DEFAULT_BLK_SZ; |
|
234 |
ctx->rand_data_valid++) { |
|
235 |
*ptr = ctx->rand_data[ctx->rand_data_valid]; |
|
236 |
ptr++; |
|
237 |
byte_count--; |
|
238 |
if (byte_count == 0) |
|
239 |
goto done; |
|
240 |
}
|
|
241 |
}
|
|
242 |
||
243 |
/*
|
|
244 |
* Now copy whole blocks
|
|
245 |
*/
|
|
246 |
for (; byte_count >= DEFAULT_BLK_SZ; byte_count -= DEFAULT_BLK_SZ) { |
|
247 |
if (ctx->rand_data_valid == DEFAULT_BLK_SZ) { |
|
248 |
if (_get_more_prng_bytes(ctx, do_cont_test) < 0) { |
|
249 |
memset(buf, 0, nbytes); |
|
250 |
err = -EINVAL; |
|
251 |
goto done; |
|
252 |
}
|
|
253 |
}
|
|
254 |
if (ctx->rand_data_valid > 0) |
|
255 |
goto empty_rbuf; |
|
256 |
memcpy(ptr, ctx->rand_data, DEFAULT_BLK_SZ); |
|
257 |
ctx->rand_data_valid += DEFAULT_BLK_SZ; |
|
258 |
ptr += DEFAULT_BLK_SZ; |
|
259 |
}
|
|
260 |
||
261 |
/*
|
|
262 |
* Now go back and get any remaining partial block
|
|
263 |
*/
|
|
264 |
if (byte_count) |
|
265 |
goto remainder; |
|
266 |
||
267 |
done: |
|
268 |
spin_unlock_bh(&ctx->prng_lock); |
|
269 |
dbgprint(KERN_CRIT "returning %d from get_prng_bytes in context %p\n", |
|
270 |
err, ctx); |
|
271 |
return err; |
|
272 |
}
|
|
273 |
||
274 |
static void free_prng_context(struct prng_context *ctx) |
|
275 |
{
|
|
276 |
crypto_free_cipher(ctx->tfm); |
|
277 |
}
|
|
278 |
||
279 |
static int reset_prng_context(struct prng_context *ctx, |
|
280 |
unsigned char *key, size_t klen, |
|
281 |
unsigned char *V, unsigned char *DT) |
|
282 |
{
|
|
283 |
int ret; |
|
284 |
unsigned char *prng_key; |
|
285 |
||
286 |
spin_lock_bh(&ctx->prng_lock); |
|
287 |
ctx->flags |= PRNG_NEED_RESET; |
|
288 |
||
289 |
prng_key = (key != NULL) ? key : (unsigned char *)DEFAULT_PRNG_KEY; |
|
290 |
||
291 |
if (!key) |
|
292 |
klen = DEFAULT_PRNG_KSZ; |
|
293 |
||
294 |
if (V) |
|
295 |
memcpy(ctx->V, V, DEFAULT_BLK_SZ); |
|
296 |
else
|
|
297 |
memcpy(ctx->V, DEFAULT_V_SEED, DEFAULT_BLK_SZ); |
|
298 |
||
299 |
if (DT) |
|
300 |
memcpy(ctx->DT, DT, DEFAULT_BLK_SZ); |
|
301 |
else
|
|
302 |
memset(ctx->DT, 0, DEFAULT_BLK_SZ); |
|
303 |
||
304 |
memset(ctx->rand_data, 0, DEFAULT_BLK_SZ); |
|
305 |
memset(ctx->last_rand_data, 0, DEFAULT_BLK_SZ); |
|
306 |
||
307 |
ctx->rand_data_valid = DEFAULT_BLK_SZ; |
|
308 |
||
309 |
ret = crypto_cipher_setkey(ctx->tfm, prng_key, klen); |
|
310 |
if (ret) { |
|
311 |
dbgprint(KERN_CRIT "PRNG: setkey() failed flags=%x\n", |
|
312 |
crypto_cipher_get_flags(ctx->tfm)); |
|
313 |
goto out; |
|
314 |
}
|
|
315 |
||
316 |
ret = 0; |
|
317 |
ctx->flags &= ~PRNG_NEED_RESET; |
|
318 |
out: |
|
319 |
spin_unlock_bh(&ctx->prng_lock); |
|
320 |
return ret; |
|
321 |
}
|
|
322 |
||
323 |
static int cprng_init(struct crypto_tfm *tfm) |
|
324 |
{
|
|
325 |
struct prng_context *ctx = crypto_tfm_ctx(tfm); |
|
326 |
||
327 |
spin_lock_init(&ctx->prng_lock); |
|
328 |
ctx->tfm = crypto_alloc_cipher("aes", 0, 0); |
|
329 |
if (IS_ERR(ctx->tfm)) { |
|
330 |
dbgprint(KERN_CRIT "Failed to alloc tfm for context %p\n", |
|
331 |
ctx); |
|
332 |
return PTR_ERR(ctx->tfm); |
|
333 |
}
|
|
334 |
||
335 |
if (reset_prng_context(ctx, NULL, DEFAULT_PRNG_KSZ, NULL, NULL) < 0) |
|
336 |
return -EINVAL; |
|
337 |
||
338 |
/*
|
|
339 |
* after allocation, we should always force the user to reset
|
|
340 |
* so they don't inadvertently use the insecure default values
|
|
341 |
* without specifying them intentially
|
|
342 |
*/
|
|
343 |
ctx->flags |= PRNG_NEED_RESET; |
|
344 |
return 0; |
|
345 |
}
|
|
346 |
||
347 |
static void cprng_exit(struct crypto_tfm *tfm) |
|
348 |
{
|
|
349 |
free_prng_context(crypto_tfm_ctx(tfm)); |
|
350 |
}
|
|
351 |
||
352 |
static int cprng_get_random(struct crypto_rng *tfm, u8 *rdata, |
|
353 |
unsigned int dlen) |
|
354 |
{
|
|
355 |
struct prng_context *prng = crypto_rng_ctx(tfm); |
|
356 |
||
357 |
return get_prng_bytes(rdata, dlen, prng, 0); |
|
358 |
}
|
|
359 |
||
360 |
/*
|
|
361 |
* This is the cprng_registered reset method the seed value is
|
|
362 |
* interpreted as the tuple { V KEY DT}
|
|
363 |
* V and KEY are required during reset, and DT is optional, detected
|
|
364 |
* as being present by testing the length of the seed
|
|
365 |
*/
|
|
366 |
static int cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen) |
|
367 |
{
|
|
368 |
struct prng_context *prng = crypto_rng_ctx(tfm); |
|
369 |
u8 *key = seed + DEFAULT_BLK_SZ; |
|
370 |
u8 *dt = NULL; |
|
371 |
||
372 |
if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ) |
|
373 |
return -EINVAL; |
|
374 |
||
375 |
if (slen >= (2 * DEFAULT_BLK_SZ + DEFAULT_PRNG_KSZ)) |
|
376 |
dt = key + DEFAULT_PRNG_KSZ; |
|
377 |
||
378 |
reset_prng_context(prng, key, DEFAULT_PRNG_KSZ, seed, dt); |
|
379 |
||
380 |
if (prng->flags & PRNG_NEED_RESET) |
|
381 |
return -EINVAL; |
|
382 |
return 0; |
|
383 |
}
|
|
384 |
||
385 |
#ifdef CONFIG_CRYPTO_FIPS
|
|
386 |
static int fips_cprng_get_random(struct crypto_rng *tfm, u8 *rdata, |
|
387 |
unsigned int dlen) |
|
388 |
{
|
|
389 |
struct prng_context *prng = crypto_rng_ctx(tfm); |
|
390 |
||
391 |
return get_prng_bytes(rdata, dlen, prng, 1); |
|
392 |
}
|
|
393 |
||
394 |
static int fips_cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen) |
|
395 |
{
|
|
396 |
u8 rdata[DEFAULT_BLK_SZ]; |
|
397 |
u8 *key = seed + DEFAULT_BLK_SZ; |
|
398 |
int rc; |
|
399 |
||
400 |
struct prng_context *prng = crypto_rng_ctx(tfm); |
|
401 |
||
402 |
if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ) |
|
403 |
return -EINVAL; |
|
404 |
||
405 |
/* fips strictly requires seed != key */
|
|
406 |
if (!memcmp(seed, key, DEFAULT_PRNG_KSZ)) |
|
407 |
return -EINVAL; |
|
408 |
||
409 |
rc = cprng_reset(tfm, seed, slen); |
|
410 |
||
411 |
if (!rc) |
|
412 |
goto out; |
|
413 |
||
414 |
/* this primes our continuity test */
|
|
415 |
rc = get_prng_bytes(rdata, DEFAULT_BLK_SZ, prng, 0); |
|
416 |
prng->rand_data_valid = DEFAULT_BLK_SZ; |
|
417 |
||
418 |
out: |
|
419 |
return rc; |
|
420 |
}
|
|
421 |
#endif
|
|
422 |
||
423 |
static struct crypto_alg rng_algs[] = { { |
|
424 |
.cra_name = "stdrng", |
|
425 |
.cra_driver_name = "ansi_cprng", |
|
426 |
.cra_priority = 100, |
|
427 |
.cra_flags = CRYPTO_ALG_TYPE_RNG, |
|
428 |
.cra_ctxsize = sizeof(struct prng_context), |
|
429 |
.cra_type = &crypto_rng_type, |
|
430 |
.cra_module = THIS_MODULE, |
|
431 |
.cra_init = cprng_init, |
|
432 |
.cra_exit = cprng_exit, |
|
433 |
.cra_u = { |
|
434 |
.rng = { |
|
435 |
.rng_make_random = cprng_get_random, |
|
436 |
.rng_reset = cprng_reset, |
|
437 |
.seedsize = DEFAULT_PRNG_KSZ + 2*DEFAULT_BLK_SZ, |
|
438 |
}
|
|
439 |
}
|
|
440 |
#ifdef CONFIG_CRYPTO_FIPS
|
|
441 |
}, { |
|
442 |
.cra_name = "fips(ansi_cprng)", |
|
443 |
.cra_driver_name = "fips_ansi_cprng", |
|
444 |
.cra_priority = 300, |
|
445 |
.cra_flags = CRYPTO_ALG_TYPE_RNG, |
|
446 |
.cra_ctxsize = sizeof(struct prng_context), |
|
447 |
.cra_type = &crypto_rng_type, |
|
448 |
.cra_module = THIS_MODULE, |
|
449 |
.cra_init = cprng_init, |
|
450 |
.cra_exit = cprng_exit, |
|
451 |
.cra_u = { |
|
452 |
.rng = { |
|
453 |
.rng_make_random = fips_cprng_get_random, |
|
454 |
.rng_reset = fips_cprng_reset, |
|
455 |
.seedsize = DEFAULT_PRNG_KSZ + 2*DEFAULT_BLK_SZ, |
|
456 |
}
|
|
457 |
}
|
|
458 |
#endif
|
|
459 |
} }; |
|
460 |
||
461 |
/* Module initalization */
|
|
462 |
static int __init prng_mod_init(void) |
|
463 |
{
|
|
464 |
return crypto_register_algs(rng_algs, ARRAY_SIZE(rng_algs)); |
|
465 |
}
|
|
466 |
||
467 |
static void __exit prng_mod_fini(void) |
|
468 |
{
|
|
469 |
crypto_unregister_algs(rng_algs, ARRAY_SIZE(rng_algs)); |
|
470 |
}
|
|
471 |
||
472 |
MODULE_LICENSE("GPL"); |
|
473 |
MODULE_DESCRIPTION("Software Pseudo Random Number Generator"); |
|
474 |
MODULE_AUTHOR("Neil Horman <nhorman@tuxdriver.com>"); |
|
475 |
module_param(dbg, int, 0); |
|
476 |
MODULE_PARM_DESC(dbg, "Boolean to enable debugging (0/1 == off/on)"); |
|
477 |
module_init(prng_mod_init); |
|
478 |
module_exit(prng_mod_fini); |
|
479 |
MODULE_ALIAS("stdrng"); |