صفحهٔ اصلی گشت‌و‌گذار راهنما
ثبت نام ورود
dingyu
/
CooCenter-System-kernel
1
0
انشعاب 0
پرونده‌ها مشکلات 0 درخواست واکشی 0 ویکی
شاخه: master
شاخه‌ها تگ‌ها
CooCenter-Sy...
/
include
/
crypto
/
drbg.h

drbg.h 8.6 KB
لینک دائمی تاريخچه خام

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275 
  1. /*
    2. 

  2.  * DRBG based on NIST SP800-90A
    3. 

  3.  *
    4. 

  4.  * Copyright Stephan Mueller <smueller@chronox.de>, 2014
    5. 

  5.  *
    6. 

  6.  * Redistribution and use in source and binary forms, with or without
    7. 

  7.  * modification, are permitted provided that the following conditions
    8. 

  8.  * are met:
    9. 

  9.  * 1. Redistributions of source code must retain the above copyright
    10. 

  10.  *    notice, and the entire permission notice in its entirety,
    11. 

  11.  *    including the disclaimer of warranties.
    12. 

  12.  * 2. Redistributions in binary form must reproduce the above copyright
    13. 

  13.  *    notice, this list of conditions and the following disclaimer in the
    14. 

  14.  *    documentation and/or other materials provided with the distribution.
    15. 

  15.  * 3. The name of the author may not be used to endorse or promote
    16. 

  16.  *    products derived from this software without specific prior
    17. 

  17.  *    written permission.
    18. 

  18.  *
    19. 

  19.  * ALTERNATIVELY, this product may be distributed under the terms of
    20. 

  20.  * the GNU General Public License, in which case the provisions of the GPL are
    21. 

  21.  * required INSTEAD OF the above restrictions.  (This clause is
    22. 

  22.  * necessary due to a potential bad interaction between the GPL and
    23. 

  23.  * the restrictions contained in a BSD-style copyright.)
    24. 

  24.  *
    25. 

  25.  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
    26. 

  26.  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
    27. 

  27.  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
    28. 

  28.  * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
    29. 

  29.  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
    30. 

  30.  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    31. 

  31.  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    32. 

  32.  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
    33. 

  33.  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
    34. 

  34.  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
    35. 

  35.  * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
    36. 

  36.  * DAMAGE.
    37. 

  37.  */
    38. 

  38. 

  39. #ifndef _DRBG_H
    40. 

  40. #define _DRBG_H
    41. 

  41. 

  42. 

  43. #include <linux/random.h>
    44. 

  44. #include <linux/scatterlist.h>
    45. 

  45. #include <crypto/hash.h>
    46. 

  46. #include <linux/module.h>
    47. 

  47. #include <linux/crypto.h>
    48. 

  48. #include <linux/slab.h>
    49. 

  49. #include <crypto/internal/rng.h>
    50. 

  50. #include <crypto/rng.h>
    51. 

  51. #include <linux/fips.h>
    52. 

  52. #include <linux/mutex.h>
    53. 

  53. #include <linux/list.h>
    54. 

  54. #include <linux/workqueue.h>
    55. 

  55. 

  56. /*
    57. 

  57.  * Concatenation Helper and string operation helper
    58. 

  58.  *
    59. 

  59.  * SP800-90A requires the concatenation of different data. To avoid copying
    60. 

  60.  * buffers around or allocate additional memory, the following data structure
    61. 

  61.  * is used to point to the original memory with its size. In addition, it
    62. 

  62.  * is used to build a linked list. The linked list defines the concatenation
    63. 

  63.  * of individual buffers. The order of memory block referenced in that
    64. 

  64.  * linked list determines the order of concatenation.
    65. 

  65.  */
    66. 

  66. struct drbg_string {
    67. 

  67. 	const unsigned char *buf;
    68. 

  68. 	size_t len;
    69. 

  69. 	struct list_head list;
    70. 

  70. };
    71. 

  71. 

  72. static inline void drbg_string_fill(struct drbg_string *string,
    73. 

  73. 				    const unsigned char *buf, size_t len)
    74. 

  74. {
    75. 

  75. 	string->buf = buf;
    76. 

  76. 	string->len = len;
    77. 

  77. 	INIT_LIST_HEAD(&string->list);
    78. 

  78. }
    79. 

  79. 

  80. struct drbg_state;
    81. 

  81. typedef uint32_t drbg_flag_t;
    82. 

  82. 

  83. struct drbg_core {
    84. 

  84. 	drbg_flag_t flags;	/* flags for the cipher */
    85. 

  85. 	__u8 statelen;		/* maximum state length */
    86. 

  86. 	__u8 blocklen_bytes;	/* block size of output in bytes */
    87. 

  87. 	char cra_name[CRYPTO_MAX_ALG_NAME]; /* mapping to kernel crypto API */
    88. 

  88. 	 /* kernel crypto API backend cipher name */
    89. 

  89. 	char backend_cra_name[CRYPTO_MAX_ALG_NAME];
    90. 

  90. };
    91. 

  91. 

  92. struct drbg_state_ops {
    93. 

  93. 	int (*update)(struct drbg_state *drbg, struct list_head *seed,
    94. 

  94. 		      int reseed);
    95. 

  95. 	int (*generate)(struct drbg_state *drbg,
    96. 

  96. 			unsigned char *buf, unsigned int buflen,
    97. 

  97. 			struct list_head *addtl);
    98. 

  98. 	int (*crypto_init)(struct drbg_state *drbg);
    99. 

  99. 	int (*crypto_fini)(struct drbg_state *drbg);
    100. 

  100. 

  101. };
    102. 

  102. 

  103. struct drbg_test_data {
    104. 

  104. 	struct drbg_string *testentropy; /* TEST PARAMETER: test entropy */
    105. 

  105. };
    106. 

  106. 

  107. struct drbg_state {
    108. 

  108. 	struct mutex drbg_mutex;	/* lock around DRBG */
    109. 

  109. 	unsigned char *V;	/* internal state 10.1.1.1 1a) */
    110. 

  110. 	/* hash: static value 10.1.1.1 1b) hmac / ctr: key */
    111. 

  111. 	unsigned char *C;
    112. 

  112. 	/* Number of RNG requests since last reseed -- 10.1.1.1 1c) */
    113. 

  113. 	size_t reseed_ctr;
    114. 

  114. 	size_t reseed_threshold;
    115. 

  115. 	 /* some memory the DRBG can use for its operation */
    116. 

  116. 	unsigned char *scratchpad;
    117. 

  117. 	void *priv_data;	/* Cipher handle */
    118. 

  118. 	bool seeded;		/* DRBG fully seeded? */
    119. 

  119. 	bool pr;		/* Prediction resistance enabled? */
    120. 

  120. #ifdef CONFIG_CRYPTO_FIPS
    121. 

  121. 	bool fips_primed;	/* Continuous test primed? */
    122. 

  122. 	unsigned char *prev;	/* FIPS 140-2 continuous test value */
    123. 

  123. #endif
    124. 

  124. 	struct work_struct seed_work;	/* asynchronous seeding support */
    125. 

  125. 	struct crypto_rng *jent;
    126. 

  126. 	const struct drbg_state_ops *d_ops;
    127. 

  127. 	const struct drbg_core *core;
    128. 

  128. 	struct drbg_string test_data;
    129. 

  129. 	struct random_ready_callback random_ready;
    130. 

  130. };
    131. 

  131. 

  132. static inline __u8 drbg_statelen(struct drbg_state *drbg)
    133. 

  133. {
    134. 

  134. 	if (drbg && drbg->core)
    135. 

  135. 		return drbg->core->statelen;
    136. 

  136. 	return 0;
    137. 

  137. }
    138. 

  138. 

  139. static inline __u8 drbg_blocklen(struct drbg_state *drbg)
    140. 

  140. {
    141. 

  141. 	if (drbg && drbg->core)
    142. 

  142. 		return drbg->core->blocklen_bytes;
    143. 

  143. 	return 0;
    144. 

  144. }
    145. 

  145. 

  146. static inline __u8 drbg_keylen(struct drbg_state *drbg)
    147. 

  147. {
    148. 

  148. 	if (drbg && drbg->core)
    149. 

  149. 		return (drbg->core->statelen - drbg->core->blocklen_bytes);
    150. 

  150. 	return 0;
    151. 

  151. }
    152. 

  152. 

  153. static inline size_t drbg_max_request_bytes(struct drbg_state *drbg)
    154. 

  154. {
    155. 

  155. 	/* SP800-90A requires the limit 2**19 bits, but we return bytes */
    156. 

  156. 	return (1 << 16);
    157. 

  157. }
    158. 

  158. 

  159. static inline size_t drbg_max_addtl(struct drbg_state *drbg)
    160. 

  160. {
    161. 

  161. 	/* SP800-90A requires 2**35 bytes additional info str / pers str */
    162. 

  162. #if (__BITS_PER_LONG == 32)
    163. 

  163. 	/*
    164. 

  164. 	 * SP800-90A allows smaller maximum numbers to be returned -- we
    165. 

  165. 	 * return SIZE_MAX - 1 to allow the verification of the enforcement
    166. 

  166. 	 * of this value in drbg_healthcheck_sanity.
    167. 

  167. 	 */
    168. 

  168. 	return (SIZE_MAX - 1);
    169. 

  169. #else
    170. 

  170. 	return (1UL<<35);
    171. 

  171. #endif
    172. 

  172. }
    173. 

  173. 

  174. static inline size_t drbg_max_requests(struct drbg_state *drbg)
    175. 

  175. {
    176. 

  176. 	/* SP800-90A requires 2**48 maximum requests before reseeding */
    177. 

  177. #if (__BITS_PER_LONG == 32)
    178. 

  178. 	return SIZE_MAX;
    179. 

  179. #else
    180. 

  180. 	return (1UL<<48);
    181. 

  181. #endif
    182. 

  182. }
    183. 

  183. 

  184. /*
    185. 

  185.  * This is a wrapper to the kernel crypto API function of
    186. 

  186.  * crypto_rng_generate() to allow the caller to provide additional data.
    187. 

  187.  *
    188. 

  188.  * @drng DRBG handle -- see crypto_rng_get_bytes
    189. 

  189.  * @outbuf output buffer -- see crypto_rng_get_bytes
    190. 

  190.  * @outlen length of output buffer -- see crypto_rng_get_bytes
    191. 

  191.  * @addtl_input additional information string input buffer
    192. 

  192.  * @addtllen length of additional information string buffer
    193. 

  193.  *
    194. 

  194.  * return
    195. 

  195.  *	see crypto_rng_get_bytes
    196. 

  196.  */
    197. 

  197. static inline int crypto_drbg_get_bytes_addtl(struct crypto_rng *drng,
    198. 

  198. 			unsigned char *outbuf, unsigned int outlen,
    199. 

  199. 			struct drbg_string *addtl)
    200. 

  200. {
    201. 

  201. 	return crypto_rng_generate(drng, addtl->buf, addtl->len,
    202. 

  202. 				   outbuf, outlen);
    203. 

  203. }
    204. 

  204. 

  205. /*
    206. 

  206.  * TEST code
    207. 

  207.  *
    208. 

  208.  * This is a wrapper to the kernel crypto API function of
    209. 

  209.  * crypto_rng_generate() to allow the caller to provide additional data and
    210. 

  210.  * allow furnishing of test_data
    211. 

  211.  *
    212. 

  212.  * @drng DRBG handle -- see crypto_rng_get_bytes
    213. 

  213.  * @outbuf output buffer -- see crypto_rng_get_bytes
    214. 

  214.  * @outlen length of output buffer -- see crypto_rng_get_bytes
    215. 

  215.  * @addtl_input additional information string input buffer
    216. 

  216.  * @addtllen length of additional information string buffer
    217. 

  217.  * @test_data filled test data
    218. 

  218.  *
    219. 

  219.  * return
    220. 

  220.  *	see crypto_rng_get_bytes
    221. 

  221.  */
    222. 

  222. static inline int crypto_drbg_get_bytes_addtl_test(struct crypto_rng *drng,
    223. 

  223. 			unsigned char *outbuf, unsigned int outlen,
    224. 

  224. 			struct drbg_string *addtl,
    225. 

  225. 			struct drbg_test_data *test_data)
    226. 

  226. {
    227. 

  227. 	crypto_rng_set_entropy(drng, test_data->testentropy->buf,
    228. 

  228. 			       test_data->testentropy->len);
    229. 

  229. 	return crypto_rng_generate(drng, addtl->buf, addtl->len,
    230. 

  230. 				   outbuf, outlen);
    231. 

  231. }
    232. 

  232. 

  233. /*
    234. 

  234.  * TEST code
    235. 

  235.  *
    236. 

  236.  * This is a wrapper to the kernel crypto API function of
    237. 

  237.  * crypto_rng_reset() to allow the caller to provide test_data
    238. 

  238.  *
    239. 

  239.  * @drng DRBG handle -- see crypto_rng_reset
    240. 

  240.  * @pers personalization string input buffer
    241. 

  241.  * @perslen length of additional information string buffer
    242. 

  242.  * @test_data filled test data
    243. 

  243.  *
    244. 

  244.  * return
    245. 

  245.  *	see crypto_rng_reset
    246. 

  246.  */
    247. 

  247. static inline int crypto_drbg_reset_test(struct crypto_rng *drng,
    248. 

  248. 					 struct drbg_string *pers,
    249. 

  249. 					 struct drbg_test_data *test_data)
    250. 

  250. {
    251. 

  251. 	crypto_rng_set_entropy(drng, test_data->testentropy->buf,
    252. 

  252. 			       test_data->testentropy->len);
    253. 

  253. 	return crypto_rng_reset(drng, pers->buf, pers->len);
    254. 

  254. }
    255. 

  255. 

  256. /* DRBG type flags */
    257. 

  257. #define DRBG_CTR	((drbg_flag_t)1<<0)
    258. 

  258. #define DRBG_HMAC	((drbg_flag_t)1<<1)
    259. 

  259. #define DRBG_HASH	((drbg_flag_t)1<<2)
    260. 

  260. #define DRBG_TYPE_MASK	(DRBG_CTR | DRBG_HMAC | DRBG_HASH)
    261. 

  261. /* DRBG strength flags */
    262. 

  262. #define DRBG_STRENGTH128	((drbg_flag_t)1<<3)
    263. 

  263. #define DRBG_STRENGTH192	((drbg_flag_t)1<<4)
    264. 

  264. #define DRBG_STRENGTH256	((drbg_flag_t)1<<5)
    265. 

  265. #define DRBG_STRENGTH_MASK	(DRBG_STRENGTH128 | DRBG_STRENGTH192 | \
    266. 

  266. 				 DRBG_STRENGTH256)
    267. 

  267. 

  268. enum drbg_prefixes {
    269. 

  269. 	DRBG_PREFIX0 = 0x00,
    270. 

  270. 	DRBG_PREFIX1,
    271. 

  271. 	DRBG_PREFIX2,
    272. 

  272. 	DRBG_PREFIX3
    273. 

  273. };
    274. 

  274. 

  275. #endif /* _DRBG_H */
    276.