tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

crypto: drbg - Export CTR DRBG DF functions

Export drbg_ctr_df() derivative function to new module df_sp80090.

Signed-off-by: Harsh Jain <h.jain@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

authored by

Harsh Jain and committed by
Herbert Xu 6c4fed5f 3a866087

+343 -265
+6 -2
crypto/Kconfig
··· 1205 1205 1206 1206 config CRYPTO_DRBG_CTR 1207 1207 bool "CTR_DRBG" 1208 - select CRYPTO_AES 1209 - select CRYPTO_CTR 1208 + select CRYPTO_DF80090A 1210 1209 help 1211 1210 CTR_DRBG variant as defined in NIST SP800-90A. 1212 1211 ··· 1340 1341 tristate 1341 1342 select CRYPTO_HMAC 1342 1343 select CRYPTO_SHA256 1344 + 1345 + config CRYPTO_DF80090A 1346 + tristate 1347 + select CRYPTO_AES 1348 + select CRYPTO_CTR 1343 1349 1344 1350 endmenu 1345 1351 menu "Userspace interface"
+2
crypto/Makefile
··· 209 209 # 210 210 obj-$(CONFIG_CRYPTO_KDF800108_CTR) += kdf_sp800108.o 211 211 212 + obj-$(CONFIG_CRYPTO_DF80090A) += df_sp80090a.o 213 + 212 214 obj-$(CONFIG_CRYPTO_KRB5) += krb5/
+247
crypto/df_sp80090a.c
··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + 3 + /* 4 + * NIST SP800-90A DRBG derivation function 5 + * 6 + * Copyright (C) 2014, Stephan Mueller <smueller@chronox.de> 7 + */ 8 + 9 + #include <linux/errno.h> 10 + #include <linux/kernel.h> 11 + #include <linux/module.h> 12 + #include <linux/string.h> 13 + #include <crypto/df_sp80090a.h> 14 + #include <crypto/internal/drbg.h> 15 + 16 + static void drbg_kcapi_symsetkey(struct crypto_cipher *tfm, 17 + const unsigned char *key, 18 + u8 keylen); 19 + static int drbg_kcapi_sym(struct crypto_cipher *tfm, unsigned char *outval, 20 + const struct drbg_string *in, u8 blocklen_bytes); 21 + 22 + static void drbg_kcapi_symsetkey(struct crypto_cipher *tfm, 23 + const unsigned char *key, u8 keylen) 24 + { 25 + crypto_cipher_setkey(tfm, key, keylen); 26 + } 27 + 28 + static int drbg_kcapi_sym(struct crypto_cipher *tfm, unsigned char *outval, 29 + const struct drbg_string *in, u8 blocklen_bytes) 30 + { 31 + /* there is only component in *in */ 32 + BUG_ON(in->len < blocklen_bytes); 33 + crypto_cipher_encrypt_one(tfm, outval, in->buf); 34 + return 0; 35 + } 36 + 37 + /* BCC function for CTR DRBG as defined in 10.4.3 */ 38 + 39 + static int drbg_ctr_bcc(struct crypto_cipher *tfm, 40 + unsigned char *out, const unsigned char *key, 41 + struct list_head *in, 42 + u8 blocklen_bytes, 43 + u8 keylen) 44 + { 45 + int ret = 0; 46 + struct drbg_string *curr = NULL; 47 + struct drbg_string data; 48 + short cnt = 0; 49 + 50 + drbg_string_fill(&data, out, blocklen_bytes); 51 + 52 + /* 10.4.3 step 2 / 4 */ 53 + drbg_kcapi_symsetkey(tfm, key, keylen); 54 + list_for_each_entry(curr, in, list) { 55 + const unsigned char *pos = curr->buf; 56 + size_t len = curr->len; 57 + /* 10.4.3 step 4.1 */ 58 + while (len) { 59 + /* 10.4.3 step 4.2 */ 60 + if (blocklen_bytes == cnt) { 61 + cnt = 0; 62 + ret = drbg_kcapi_sym(tfm, out, &data, blocklen_bytes); 63 + if (ret) 64 + return ret; 65 + } 66 + out[cnt] ^= *pos; 67 + pos++; 68 + cnt++; 69 + len--; 70 + } 71 + } 72 + /* 10.4.3 step 4.2 for last block */ 73 + if (cnt) 74 + ret = drbg_kcapi_sym(tfm, out, &data, blocklen_bytes); 75 + 76 + return ret; 77 + } 78 + 79 + /* 80 + * scratchpad usage: drbg_ctr_update is interlinked with crypto_drbg_ctr_df 81 + * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 82 + * the scratchpad is used as follows: 83 + * drbg_ctr_update: 84 + * temp 85 + * start: drbg->scratchpad 86 + * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 87 + * note: the cipher writing into this variable works 88 + * blocklen-wise. Now, when the statelen is not a multiple 89 + * of blocklen, the generateion loop below "spills over" 90 + * by at most blocklen. Thus, we need to give sufficient 91 + * memory. 92 + * df_data 93 + * start: drbg->scratchpad + 94 + * drbg_statelen(drbg) + drbg_blocklen(drbg) 95 + * length: drbg_statelen(drbg) 96 + * 97 + * crypto_drbg_ctr_df: 98 + * pad 99 + * start: df_data + drbg_statelen(drbg) 100 + * length: drbg_blocklen(drbg) 101 + * iv 102 + * start: pad + drbg_blocklen(drbg) 103 + * length: drbg_blocklen(drbg) 104 + * temp 105 + * start: iv + drbg_blocklen(drbg) 106 + * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 107 + * note: temp is the buffer that the BCC function operates 108 + * on. BCC operates blockwise. drbg_statelen(drbg) 109 + * is sufficient when the DRBG state length is a multiple 110 + * of the block size. For AES192 (and maybe other ciphers) 111 + * this is not correct and the length for temp is 112 + * insufficient (yes, that also means for such ciphers, 113 + * the final output of all BCC rounds are truncated). 114 + * Therefore, add drbg_blocklen(drbg) to cover all 115 + * possibilities. 116 + * refer to crypto_drbg_ctr_df_datalen() to get required length 117 + */ 118 + 119 + /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 120 + int crypto_drbg_ctr_df(struct crypto_cipher *tfm, 121 + unsigned char *df_data, size_t bytes_to_return, 122 + struct list_head *seedlist, 123 + u8 blocklen_bytes, 124 + u8 statelen) 125 + { 126 + int ret = -EFAULT; 127 + unsigned char L_N[8]; 128 + /* S3 is input */ 129 + struct drbg_string S1, S2, S4, cipherin; 130 + LIST_HEAD(bcc_list); 131 + unsigned char *pad = df_data + statelen; 132 + unsigned char *iv = pad + blocklen_bytes; 133 + unsigned char *temp = iv + blocklen_bytes; 134 + size_t padlen = 0; 135 + unsigned int templen = 0; 136 + /* 10.4.2 step 7 */ 137 + unsigned int i = 0; 138 + /* 10.4.2 step 8 */ 139 + const unsigned char *K = (unsigned char *) 140 + "\x00\x01\x02\x03\x04\x05\x06\x07" 141 + "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 142 + "\x10\x11\x12\x13\x14\x15\x16\x17" 143 + "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 144 + unsigned char *X; 145 + size_t generated_len = 0; 146 + size_t inputlen = 0; 147 + struct drbg_string *seed = NULL; 148 + u8 keylen; 149 + 150 + memset(pad, 0, blocklen_bytes); 151 + memset(iv, 0, blocklen_bytes); 152 + keylen = statelen - blocklen_bytes; 153 + /* 10.4.2 step 1 is implicit as we work byte-wise */ 154 + 155 + /* 10.4.2 step 2 */ 156 + if ((512 / 8) < bytes_to_return) 157 + return -EINVAL; 158 + 159 + /* 10.4.2 step 2 -- calculate the entire length of all input data */ 160 + list_for_each_entry(seed, seedlist, list) 161 + inputlen += seed->len; 162 + drbg_cpu_to_be32(inputlen, &L_N[0]); 163 + 164 + /* 10.4.2 step 3 */ 165 + drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 166 + 167 + /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 168 + padlen = (inputlen + sizeof(L_N) + 1) % (blocklen_bytes); 169 + /* wrap the padlen appropriately */ 170 + if (padlen) 171 + padlen = blocklen_bytes - padlen; 172 + /* 173 + * pad / padlen contains the 0x80 byte and the following zero bytes. 174 + * As the calculated padlen value only covers the number of zero 175 + * bytes, this value has to be incremented by one for the 0x80 byte. 176 + */ 177 + padlen++; 178 + pad[0] = 0x80; 179 + 180 + /* 10.4.2 step 4 -- first fill the linked list and then order it */ 181 + drbg_string_fill(&S1, iv, blocklen_bytes); 182 + list_add_tail(&S1.list, &bcc_list); 183 + drbg_string_fill(&S2, L_N, sizeof(L_N)); 184 + list_add_tail(&S2.list, &bcc_list); 185 + list_splice_tail(seedlist, &bcc_list); 186 + drbg_string_fill(&S4, pad, padlen); 187 + list_add_tail(&S4.list, &bcc_list); 188 + 189 + /* 10.4.2 step 9 */ 190 + while (templen < (keylen + (blocklen_bytes))) { 191 + /* 192 + * 10.4.2 step 9.1 - the padding is implicit as the buffer 193 + * holds zeros after allocation -- even the increment of i 194 + * is irrelevant as the increment remains within length of i 195 + */ 196 + drbg_cpu_to_be32(i, iv); 197 + /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 198 + ret = drbg_ctr_bcc(tfm, temp + templen, K, &bcc_list, 199 + blocklen_bytes, keylen); 200 + if (ret) 201 + goto out; 202 + /* 10.4.2 step 9.3 */ 203 + i++; 204 + templen += blocklen_bytes; 205 + } 206 + 207 + /* 10.4.2 step 11 */ 208 + X = temp + (keylen); 209 + drbg_string_fill(&cipherin, X, blocklen_bytes); 210 + 211 + /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 212 + 213 + /* 10.4.2 step 13 */ 214 + drbg_kcapi_symsetkey(tfm, temp, keylen); 215 + while (generated_len < bytes_to_return) { 216 + short blocklen = 0; 217 + /* 218 + * 10.4.2 step 13.1: the truncation of the key length is 219 + * implicit as the key is only drbg_blocklen in size based on 220 + * the implementation of the cipher function callback 221 + */ 222 + ret = drbg_kcapi_sym(tfm, X, &cipherin, blocklen_bytes); 223 + if (ret) 224 + goto out; 225 + blocklen = (blocklen_bytes < 226 + (bytes_to_return - generated_len)) ? 227 + blocklen_bytes : 228 + (bytes_to_return - generated_len); 229 + /* 10.4.2 step 13.2 and 14 */ 230 + memcpy(df_data + generated_len, X, blocklen); 231 + generated_len += blocklen; 232 + } 233 + 234 + ret = 0; 235 + 236 + out: 237 + memset(iv, 0, blocklen_bytes); 238 + memset(temp, 0, statelen + blocklen_bytes); 239 + memset(pad, 0, blocklen_bytes); 240 + return ret; 241 + } 242 + EXPORT_SYMBOL_GPL(crypto_drbg_ctr_df); 243 + 244 + MODULE_IMPORT_NS("CRYPTO_INTERNAL"); 245 + MODULE_LICENSE("GPL v2"); 246 + MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 247 + MODULE_DESCRIPTION("Derivation Function conformant to SP800-90A");
+5 -239
crypto/drbg.c
··· 98 98 */ 99 99 100 100 #include <crypto/drbg.h> 101 + #include <crypto/df_sp80090a.h> 101 102 #include <crypto/internal/cipher.h> 102 103 #include <linux/kernel.h> 103 104 #include <linux/jiffies.h> ··· 262 261 return 0; 263 262 } 264 263 265 - /* 266 - * Convert an integer into a byte representation of this integer. 267 - * The byte representation is big-endian 268 - * 269 - * @val value to be converted 270 - * @buf buffer holding the converted integer -- caller must ensure that 271 - * buffer size is at least 32 bit 272 - */ 273 - #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 274 - static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 275 - { 276 - struct s { 277 - __be32 conv; 278 - }; 279 - struct s *conversion = (struct s *) buf; 280 - 281 - conversion->conv = cpu_to_be32(val); 282 - } 283 - #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 284 - 285 264 /****************************************************************** 286 265 * CTR DRBG callback functions 287 266 ******************************************************************/ ··· 275 294 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 276 295 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 277 296 278 - static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 279 - const unsigned char *key); 280 - static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 281 - const struct drbg_string *in); 282 297 static int drbg_init_sym_kernel(struct drbg_state *drbg); 283 298 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 284 299 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, ··· 282 305 u8 *outbuf, u32 outlen); 283 306 #define DRBG_OUTSCRATCHLEN 256 284 307 285 - /* BCC function for CTR DRBG as defined in 10.4.3 */ 286 - static int drbg_ctr_bcc(struct drbg_state *drbg, 287 - unsigned char *out, const unsigned char *key, 288 - struct list_head *in) 289 - { 290 - int ret = 0; 291 - struct drbg_string *curr = NULL; 292 - struct drbg_string data; 293 - short cnt = 0; 294 - 295 - drbg_string_fill(&data, out, drbg_blocklen(drbg)); 296 - 297 - /* 10.4.3 step 2 / 4 */ 298 - drbg_kcapi_symsetkey(drbg, key); 299 - list_for_each_entry(curr, in, list) { 300 - const unsigned char *pos = curr->buf; 301 - size_t len = curr->len; 302 - /* 10.4.3 step 4.1 */ 303 - while (len) { 304 - /* 10.4.3 step 4.2 */ 305 - if (drbg_blocklen(drbg) == cnt) { 306 - cnt = 0; 307 - ret = drbg_kcapi_sym(drbg, out, &data); 308 - if (ret) 309 - return ret; 310 - } 311 - out[cnt] ^= *pos; 312 - pos++; 313 - cnt++; 314 - len--; 315 - } 316 - } 317 - /* 10.4.3 step 4.2 for last block */ 318 - if (cnt) 319 - ret = drbg_kcapi_sym(drbg, out, &data); 320 - 321 - return ret; 322 - } 323 - 324 - /* 325 - * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 326 - * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 327 - * the scratchpad is used as follows: 328 - * drbg_ctr_update: 329 - * temp 330 - * start: drbg->scratchpad 331 - * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 332 - * note: the cipher writing into this variable works 333 - * blocklen-wise. Now, when the statelen is not a multiple 334 - * of blocklen, the generateion loop below "spills over" 335 - * by at most blocklen. Thus, we need to give sufficient 336 - * memory. 337 - * df_data 338 - * start: drbg->scratchpad + 339 - * drbg_statelen(drbg) + drbg_blocklen(drbg) 340 - * length: drbg_statelen(drbg) 341 - * 342 - * drbg_ctr_df: 343 - * pad 344 - * start: df_data + drbg_statelen(drbg) 345 - * length: drbg_blocklen(drbg) 346 - * iv 347 - * start: pad + drbg_blocklen(drbg) 348 - * length: drbg_blocklen(drbg) 349 - * temp 350 - * start: iv + drbg_blocklen(drbg) 351 - * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 352 - * note: temp is the buffer that the BCC function operates 353 - * on. BCC operates blockwise. drbg_statelen(drbg) 354 - * is sufficient when the DRBG state length is a multiple 355 - * of the block size. For AES192 (and maybe other ciphers) 356 - * this is not correct and the length for temp is 357 - * insufficient (yes, that also means for such ciphers, 358 - * the final output of all BCC rounds are truncated). 359 - * Therefore, add drbg_blocklen(drbg) to cover all 360 - * possibilities. 361 - */ 362 - 363 - /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 364 308 static int drbg_ctr_df(struct drbg_state *drbg, 365 309 unsigned char *df_data, size_t bytes_to_return, 366 310 struct list_head *seedlist) 367 311 { 368 - int ret = -EFAULT; 369 - unsigned char L_N[8]; 370 - /* S3 is input */ 371 - struct drbg_string S1, S2, S4, cipherin; 372 - LIST_HEAD(bcc_list); 373 - unsigned char *pad = df_data + drbg_statelen(drbg); 374 - unsigned char *iv = pad + drbg_blocklen(drbg); 375 - unsigned char *temp = iv + drbg_blocklen(drbg); 376 - size_t padlen = 0; 377 - unsigned int templen = 0; 378 - /* 10.4.2 step 7 */ 379 - unsigned int i = 0; 380 - /* 10.4.2 step 8 */ 381 - const unsigned char *K = (unsigned char *) 382 - "\x00\x01\x02\x03\x04\x05\x06\x07" 383 - "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 384 - "\x10\x11\x12\x13\x14\x15\x16\x17" 385 - "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 386 - unsigned char *X; 387 - size_t generated_len = 0; 388 - size_t inputlen = 0; 389 - struct drbg_string *seed = NULL; 390 - 391 - memset(pad, 0, drbg_blocklen(drbg)); 392 - memset(iv, 0, drbg_blocklen(drbg)); 393 - 394 - /* 10.4.2 step 1 is implicit as we work byte-wise */ 395 - 396 - /* 10.4.2 step 2 */ 397 - if ((512/8) < bytes_to_return) 398 - return -EINVAL; 399 - 400 - /* 10.4.2 step 2 -- calculate the entire length of all input data */ 401 - list_for_each_entry(seed, seedlist, list) 402 - inputlen += seed->len; 403 - drbg_cpu_to_be32(inputlen, &L_N[0]); 404 - 405 - /* 10.4.2 step 3 */ 406 - drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 407 - 408 - /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 409 - padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 410 - /* wrap the padlen appropriately */ 411 - if (padlen) 412 - padlen = drbg_blocklen(drbg) - padlen; 413 - /* 414 - * pad / padlen contains the 0x80 byte and the following zero bytes. 415 - * As the calculated padlen value only covers the number of zero 416 - * bytes, this value has to be incremented by one for the 0x80 byte. 417 - */ 418 - padlen++; 419 - pad[0] = 0x80; 420 - 421 - /* 10.4.2 step 4 -- first fill the linked list and then order it */ 422 - drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 423 - list_add_tail(&S1.list, &bcc_list); 424 - drbg_string_fill(&S2, L_N, sizeof(L_N)); 425 - list_add_tail(&S2.list, &bcc_list); 426 - list_splice_tail(seedlist, &bcc_list); 427 - drbg_string_fill(&S4, pad, padlen); 428 - list_add_tail(&S4.list, &bcc_list); 429 - 430 - /* 10.4.2 step 9 */ 431 - while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 432 - /* 433 - * 10.4.2 step 9.1 - the padding is implicit as the buffer 434 - * holds zeros after allocation -- even the increment of i 435 - * is irrelevant as the increment remains within length of i 436 - */ 437 - drbg_cpu_to_be32(i, iv); 438 - /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 439 - ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 440 - if (ret) 441 - goto out; 442 - /* 10.4.2 step 9.3 */ 443 - i++; 444 - templen += drbg_blocklen(drbg); 445 - } 446 - 447 - /* 10.4.2 step 11 */ 448 - X = temp + (drbg_keylen(drbg)); 449 - drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 450 - 451 - /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 452 - 453 - /* 10.4.2 step 13 */ 454 - drbg_kcapi_symsetkey(drbg, temp); 455 - while (generated_len < bytes_to_return) { 456 - short blocklen = 0; 457 - /* 458 - * 10.4.2 step 13.1: the truncation of the key length is 459 - * implicit as the key is only drbg_blocklen in size based on 460 - * the implementation of the cipher function callback 461 - */ 462 - ret = drbg_kcapi_sym(drbg, X, &cipherin); 463 - if (ret) 464 - goto out; 465 - blocklen = (drbg_blocklen(drbg) < 466 - (bytes_to_return - generated_len)) ? 467 - drbg_blocklen(drbg) : 468 - (bytes_to_return - generated_len); 469 - /* 10.4.2 step 13.2 and 14 */ 470 - memcpy(df_data + generated_len, X, blocklen); 471 - generated_len += blocklen; 472 - } 473 - 474 - ret = 0; 475 - 476 - out: 477 - memset(iv, 0, drbg_blocklen(drbg)); 478 - memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 479 - memset(pad, 0, drbg_blocklen(drbg)); 480 - return ret; 312 + return crypto_drbg_ctr_df(drbg->priv_data, df_data, drbg_statelen(drbg), 313 + seedlist, drbg_blocklen(drbg), drbg_statelen(drbg)); 481 314 } 482 315 483 316 /* ··· 1097 1310 sb_size = 0; 1098 1311 else if (drbg->core->flags & DRBG_CTR) 1099 1312 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1100 - drbg_statelen(drbg) + /* df_data */ 1101 - drbg_blocklen(drbg) + /* pad */ 1102 - drbg_blocklen(drbg) + /* iv */ 1103 - drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1313 + crypto_drbg_ctr_df_datalen(drbg_statelen(drbg), 1314 + drbg_blocklen(drbg)); 1104 1315 else 1105 1316 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1106 1317 ··· 1583 1798 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); 1584 1799 1585 1800 return alignmask; 1586 - } 1587 - 1588 - static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 1589 - const unsigned char *key) 1590 - { 1591 - struct crypto_cipher *tfm = drbg->priv_data; 1592 - 1593 - crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg))); 1594 - } 1595 - 1596 - static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 1597 - const struct drbg_string *in) 1598 - { 1599 - struct crypto_cipher *tfm = drbg->priv_data; 1600 - 1601 - /* there is only component in *in */ 1602 - BUG_ON(in->len < drbg_blocklen(drbg)); 1603 - crypto_cipher_encrypt_one(tfm, outval, in->buf); 1604 - return 0; 1605 1801 } 1606 1802 1607 1803 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
+1
drivers/crypto/Kconfig
··· 728 728 config CRYPTO_DEV_XILINX_TRNG 729 729 tristate "Support for Xilinx True Random Generator" 730 730 depends on ZYNQMP_FIRMWARE || COMPILE_TEST 731 + select CRYPTO_DF80090A 731 732 select CRYPTO_RNG 732 733 select HW_RANDOM 733 734 help
+27
include/crypto/df_sp80090a.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + 3 + /* 4 + * Copyright Stephan Mueller <smueller@chronox.de>, 2014 5 + */ 6 + 7 + #ifndef _CRYPTO_DF80090A_H 8 + #define _CRYPTO_DF80090A_H 9 + 10 + #include <crypto/internal/cipher.h> 11 + 12 + static inline int crypto_drbg_ctr_df_datalen(u8 statelen, u8 blocklen) 13 + { 14 + return statelen + /* df_data */ 15 + blocklen + /* pad */ 16 + blocklen + /* iv */ 17 + statelen + blocklen; /* temp */ 18 + } 19 + 20 + int crypto_drbg_ctr_df(struct crypto_cipher *tfm, 21 + unsigned char *df_data, 22 + size_t bytes_to_return, 23 + struct list_head *seedlist, 24 + u8 blocklen_bytes, 25 + u8 statelen); 26 + 27 + #endif /* _CRYPTO_DF80090A_H */
+1 -24
include/crypto/drbg.h
··· 47 47 #include <linux/module.h> 48 48 #include <linux/crypto.h> 49 49 #include <linux/slab.h> 50 + #include <crypto/internal/drbg.h> 50 51 #include <crypto/internal/rng.h> 51 52 #include <crypto/rng.h> 52 53 #include <linux/fips.h> 53 54 #include <linux/mutex.h> 54 55 #include <linux/list.h> 55 56 #include <linux/workqueue.h> 56 - 57 - /* 58 - * Concatenation Helper and string operation helper 59 - * 60 - * SP800-90A requires the concatenation of different data. To avoid copying 61 - * buffers around or allocate additional memory, the following data structure 62 - * is used to point to the original memory with its size. In addition, it 63 - * is used to build a linked list. The linked list defines the concatenation 64 - * of individual buffers. The order of memory block referenced in that 65 - * linked list determines the order of concatenation. 66 - */ 67 - struct drbg_string { 68 - const unsigned char *buf; 69 - size_t len; 70 - struct list_head list; 71 - }; 72 - 73 - static inline void drbg_string_fill(struct drbg_string *string, 74 - const unsigned char *buf, size_t len) 75 - { 76 - string->buf = buf; 77 - string->len = len; 78 - INIT_LIST_HEAD(&string->list); 79 - } 80 57 81 58 struct drbg_state; 82 59 typedef uint32_t drbg_flag_t;
+54
include/crypto/internal/drbg.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + 3 + /* 4 + * NIST SP800-90A DRBG derivation function 5 + * 6 + * Copyright (C) 2014, Stephan Mueller <smueller@chronox.de> 7 + */ 8 + 9 + #ifndef _INTERNAL_DRBG_H 10 + #define _INTERNAL_DRBG_H 11 + 12 + /* 13 + * Convert an integer into a byte representation of this integer. 14 + * The byte representation is big-endian 15 + * 16 + * @val value to be converted 17 + * @buf buffer holding the converted integer -- caller must ensure that 18 + * buffer size is at least 32 bit 19 + */ 20 + static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 21 + { 22 + struct s { 23 + __be32 conv; 24 + }; 25 + struct s *conversion = (struct s *)buf; 26 + 27 + conversion->conv = cpu_to_be32(val); 28 + } 29 + 30 + /* 31 + * Concatenation Helper and string operation helper 32 + * 33 + * SP800-90A requires the concatenation of different data. To avoid copying 34 + * buffers around or allocate additional memory, the following data structure 35 + * is used to point to the original memory with its size. In addition, it 36 + * is used to build a linked list. The linked list defines the concatenation 37 + * of individual buffers. The order of memory block referenced in that 38 + * linked list determines the order of concatenation. 39 + */ 40 + struct drbg_string { 41 + const unsigned char *buf; 42 + size_t len; 43 + struct list_head list; 44 + }; 45 + 46 + static inline void drbg_string_fill(struct drbg_string *string, 47 + const unsigned char *buf, size_t len) 48 + { 49 + string->buf = buf; 50 + string->len = len; 51 + INIT_LIST_HEAD(&string->list); 52 + } 53 + 54 + #endif //_INTERNAL_DRBG_H