3  *       Based on NIST Recommended DRBG from NIST SP800-90A with the following
5  *		* CTR DRBG with DF with AES-128, AES-192, AES-256 cores
6  *		* Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
7  *		* HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
18  * 2. Redistributions in binary form must reproduce the above copyright
29  * the restrictions contained in a BSD-style copyright.)
46  * The SP 800-90A DRBG allows the user to specify a personalization string
52  * ---------------------------------
63  * -------------------------------------------------------
68  * char personalization[11] = "some-string";
72  * // The reset completely re-initializes the DRBG with the provided
80  * ---------------------------------------------------------------------
84  * char addtl_string[11] = "some-string";
96  * -------------------------------------------------------------
202  * Return strength of DRBG according to SP800-90A section 8.4
224  * FIPS 140-2 continuous self test for the noise source
232  * drbg->drbg_mutex must have been taken.
239  *	-EAGAIN on when the CTRNG is not yet primed
245 	unsigned short entropylen = drbg_sec_strength(drbg->core->flags);  in drbg_fips_continuous_test()
252 	if (list_empty(&drbg->test_data.list))  in drbg_fips_continuous_test()
254 	/* only perform test in FIPS mode */  in drbg_fips_continuous_test()
258 	if (!drbg->fips_primed) {  in drbg_fips_continuous_test()
259 		/* Priming of FIPS test */  in drbg_fips_continuous_test()
260 		memcpy(drbg->prev, entropy, entropylen);  in drbg_fips_continuous_test()
261 		drbg->fips_primed = true;  in drbg_fips_continuous_test()
263 		return -EAGAIN;  in drbg_fips_continuous_test()
265 	ret = memcmp(drbg->prev, entropy, entropylen);  in drbg_fips_continuous_test()
268 	memcpy(drbg->prev, entropy, entropylen);  in drbg_fips_continuous_test()
276  * The byte representation is big-endian
279  * @buf buffer holding the converted integer -- caller must ensure that
290 	conversion->conv = cpu_to_be32(val);  in drbg_cpu_to_be32()
330 	/* 10.4.3 step 2 / 4 */  in drbg_ctr_bcc()
333 		const unsigned char *pos = curr->buf;  in drbg_ctr_bcc()
334 		size_t len = curr->len;  in drbg_ctr_bcc()
347 			len--;  in drbg_ctr_bcc()
363  *		start: drbg->scratchpad
366  *			blocklen-wise. Now, when the statelen is not a multiple
371  *		start: drbg->scratchpad +
396 /* Derivation Function for CTR DRBG as defined in 10.4.2 */
401 	int ret = -EFAULT;  in drbg_ctr_df()
411 	/* 10.4.2 step 7 */  in drbg_ctr_df()
413 	/* 10.4.2 step 8 */  in drbg_ctr_df()
427 	/* 10.4.2 step 1 is implicit as we work byte-wise */  in drbg_ctr_df()
429 	/* 10.4.2 step 2 */  in drbg_ctr_df()
431 		return -EINVAL;  in drbg_ctr_df()
433 	/* 10.4.2 step 2 -- calculate the entire length of all input data */  in drbg_ctr_df()
435 		inputlen += seed->len;  in drbg_ctr_df()
438 	/* 10.4.2 step 3 */  in drbg_ctr_df()
441 	/* 10.4.2 step 5: length is L_N, input_string, one byte, padding */  in drbg_ctr_df()
445 		padlen = drbg_blocklen(drbg) - padlen;  in drbg_ctr_df()
454 	/* 10.4.2 step 4 -- first fill the linked list and then order it */  in drbg_ctr_df()
463 	/* 10.4.2 step 9 */  in drbg_ctr_df()
466 		 * 10.4.2 step 9.1 - the padding is implicit as the buffer  in drbg_ctr_df()
467 		 * holds zeros after allocation -- even the increment of i  in drbg_ctr_df()
471 		/* 10.4.2 step 9.2 -- BCC and concatenation with temp */  in drbg_ctr_df()
475 		/* 10.4.2 step 9.3 */  in drbg_ctr_df()
480 	/* 10.4.2 step 11 */  in drbg_ctr_df()
484 	/* 10.4.2 step 12: overwriting of outval is implemented in next step */  in drbg_ctr_df()
486 	/* 10.4.2 step 13 */  in drbg_ctr_df()
491 		 * 10.4.2 step 13.1: the truncation of the key length is  in drbg_ctr_df()
499 				(bytes_to_return - generated_len)) ?  in drbg_ctr_df()
501 				(bytes_to_return - generated_len);  in drbg_ctr_df()
502 		/* 10.4.2 step 13.2 and 14 */  in drbg_ctr_df()
523  * 2 => first invocation from drbg_ctr_update when addtl is present. In
534 	int ret = -EFAULT;  in drbg_ctr_update()
536 	unsigned char *temp = drbg->scratchpad;  in drbg_ctr_update()
537 	unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +  in drbg_ctr_update()
547 		 * but SP800-90A requires that the counter is incremented before  in drbg_ctr_update()
551 		crypto_inc(drbg->V, drbg_blocklen(drbg));  in drbg_ctr_update()
553 		ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,  in drbg_ctr_update()
559 	/* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */  in drbg_ctr_update()
572 	ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,  in drbg_ctr_update()
577 	memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));  in drbg_ctr_update()
579 	crypto_inc(drbg->V, drbg_blocklen(drbg));  in drbg_ctr_update()
584 	if (2 != reseed)  in drbg_ctr_update()
593 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
601 	/* 10.2.1.5.2 step 2 */  in drbg_ctr_generate()
603 		ret = drbg_ctr_update(drbg, addtl, 2);  in drbg_ctr_generate()
608 	/* 10.2.1.5.2 step 4.1 */  in drbg_ctr_generate()
613 	/* 10.2.1.5.2 step 6 */  in drbg_ctr_generate()
657 	int ret = -EFAULT;  in drbg_hmac_update()
664 		/* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */  in drbg_hmac_update()
665 		memset(drbg->V, 1, drbg_statelen(drbg));  in drbg_hmac_update()
666 		drbg_kcapi_hmacsetkey(drbg, drbg->C);  in drbg_hmac_update()
669 	drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));  in drbg_hmac_update()
678 	drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));  in drbg_hmac_update()
680 	for (i = 2; 0 < i; i--) {  in drbg_hmac_update()
685 		/* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */  in drbg_hmac_update()
687 		ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);  in drbg_hmac_update()
690 		drbg_kcapi_hmacsetkey(drbg, drbg->C);  in drbg_hmac_update()
692 		/* 10.1.2.2 step 2 and 5 -- HMAC for V */  in drbg_hmac_update()
693 		ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);  in drbg_hmac_update()
716 	/* 10.1.2.5 step 2 */  in drbg_hmac_generate()
723 	drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));  in drbg_hmac_generate()
728 		ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);  in drbg_hmac_generate()
731 		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?  in drbg_hmac_generate()
732 			  drbg_blocklen(drbg) : (buflen - len);  in drbg_hmac_generate()
735 		memcpy(buf + len, drbg->V, outlen);  in drbg_hmac_generate()
788 	dstptr = dst + (dstlen-1);  in drbg_add_buf()
789 	addptr = add + (addlen-1);  in drbg_add_buf()
794 		len--; dstptr--; addptr--;  in drbg_add_buf()
796 	len = dstlen - addlen;  in drbg_add_buf()
801 		len--; dstptr--;  in drbg_add_buf()
809  *	start: drbg->scratchpad
812  *	start: drbg->scratchpad + drbg_statelen(drbg)
828 	unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);  in drbg_hash_df()
835 	/* 10.4.1 step 4.1 -- concatenation of data for input into hash */  in drbg_hash_df()
848 		blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?  in drbg_hash_df()
849 			    drbg_blocklen(drbg) : (outlen - len);  in drbg_hash_df()
867 	unsigned char *V = drbg->scratchpad;  in drbg_hash_update()
871 		return -EINVAL;  in drbg_hash_update()
875 		memcpy(V, drbg->V, drbg_statelen(drbg));  in drbg_hash_update()
883 	/* 10.1.1.2 / 10.1.1.3 step 2 and 3 */  in drbg_hash_update()
884 	ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);  in drbg_hash_update()
892 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));  in drbg_hash_update()
895 	ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);  in drbg_hash_update()
898 	memset(drbg->scratchpad, 0, drbg_statelen(drbg));  in drbg_hash_update()
911 	/* 10.1.1.4 step 2 */  in drbg_hash_process_addtl()
915 	/* 10.1.1.4 step 2a */  in drbg_hash_process_addtl()
917 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));  in drbg_hash_process_addtl()
921 	ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);  in drbg_hash_process_addtl()
925 	/* 10.1.1.4 step 2b */  in drbg_hash_process_addtl()
926 	drbg_add_buf(drbg->V, drbg_statelen(drbg),  in drbg_hash_process_addtl()
927 		     drbg->scratchpad, drbg_blocklen(drbg));  in drbg_hash_process_addtl()
930 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));  in drbg_hash_process_addtl()
941 	unsigned char *src = drbg->scratchpad;  in drbg_hash_hashgen()
942 	unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);  in drbg_hash_hashgen()
946 	/* 10.1.1.4 step hashgen 2 */  in drbg_hash_hashgen()
947 	memcpy(src, drbg->V, drbg_statelen(drbg));  in drbg_hash_hashgen()
959 		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?  in drbg_hash_hashgen()
960 			  drbg_blocklen(drbg) : (buflen - len);  in drbg_hash_hashgen()
970 	memset(drbg->scratchpad, 0,  in drbg_hash_hashgen()
990 	/* 10.1.1.4 step 2 */  in drbg_hash_generate()
1001 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));  in drbg_hash_generate()
1003 	ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);  in drbg_hash_generate()
1010 	drbg_add_buf(drbg->V, drbg_statelen(drbg),  in drbg_hash_generate()
1011 		     drbg->scratchpad, drbg_blocklen(drbg));  in drbg_hash_generate()
1012 	drbg_add_buf(drbg->V, drbg_statelen(drbg),  in drbg_hash_generate()
1013 		     drbg->C, drbg_statelen(drbg));  in drbg_hash_generate()
1014 	u.req_int = cpu_to_be64(drbg->reseed_ctr);  in drbg_hash_generate()
1015 	drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);  in drbg_hash_generate()
1018 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));  in drbg_hash_generate()
1041 	int ret = drbg->d_ops->update(drbg, seed, reseed);  in __drbg_seed()
1046 	drbg->seeded = new_seed_state;  in __drbg_seed()
1048 	drbg->reseed_ctr = 1;  in __drbg_seed()
1050 	switch (drbg->seeded) {  in __drbg_seed()
1059 		drbg->reseed_threshold = 50;  in __drbg_seed()
1067 		drbg->reseed_threshold = drbg_max_requests(drbg);  in __drbg_seed()
1083 		if (ret && ret != -EAGAIN)  in drbg_get_random_bytes()
1094 	unsigned int entropylen = drbg_sec_strength(drbg->core->flags);  in drbg_seed_from_random()
1130 	unsigned char entropy[((32 + 16) * 2)];  in drbg_seed()
1131 	unsigned int entropylen = drbg_sec_strength(drbg->core->flags);  in drbg_seed()
1137 	if (pers && pers->len > (drbg_max_addtl(drbg))) {  in drbg_seed()
1139 			 pers->len);  in drbg_seed()
1140 		return -EINVAL;  in drbg_seed()
1143 	if (list_empty(&drbg->test_data.list)) {  in drbg_seed()
1144 		drbg_string_fill(&data1, drbg->test_data.buf,  in drbg_seed()
1145 				 drbg->test_data.len);  in drbg_seed()
1151 		 * to the entropy. A nonce must be at least 1/2 of the security  in drbg_seed()
1152 		 * strength of the DRBG in size. Thus, entropy + nonce is 3/2  in drbg_seed()
1158 			entropylen = ((entropylen + 1) / 2) * 3;  in drbg_seed()
1159 		BUG_ON((entropylen * 2) > sizeof(entropy));  in drbg_seed()
1161 		/* Get seed from in-kernel /dev/urandom */  in drbg_seed()
1169 		if (!drbg->jent) {  in drbg_seed()
1175 			ret = crypto_rng_get_bytes(drbg->jent,  in drbg_seed()
1188 				 * SP800-90A allowing us to treat the  in drbg_seed()
1195 				if (!reseed || ret != -EAGAIN)  in drbg_seed()
1199 			drbg_string_fill(&data1, entropy, entropylen * 2);  in drbg_seed()
1201 				 entropylen * 2);  in drbg_seed()
1211 	if (pers && pers->buf && 0 < pers->len) {  in drbg_seed()
1212 		list_add_tail(&pers->list, &seedlist);  in drbg_seed()
1217 		memset(drbg->V, 0, drbg_statelen(drbg));  in drbg_seed()
1218 		memset(drbg->C, 0, drbg_statelen(drbg));  in drbg_seed()
1224 	memzero_explicit(entropy, entropylen * 2);  in drbg_seed()
1234 	kfree_sensitive(drbg->Vbuf);  in drbg_dealloc_state()
1235 	drbg->Vbuf = NULL;  in drbg_dealloc_state()
1236 	drbg->V = NULL;  in drbg_dealloc_state()
1237 	kfree_sensitive(drbg->Cbuf);  in drbg_dealloc_state()
1238 	drbg->Cbuf = NULL;  in drbg_dealloc_state()
1239 	drbg->C = NULL;  in drbg_dealloc_state()
1240 	kfree_sensitive(drbg->scratchpadbuf);  in drbg_dealloc_state()
1241 	drbg->scratchpadbuf = NULL;  in drbg_dealloc_state()
1242 	drbg->reseed_ctr = 0;  in drbg_dealloc_state()
1243 	drbg->d_ops = NULL;  in drbg_dealloc_state()
1244 	drbg->core = NULL;  in drbg_dealloc_state()
1246 		kfree_sensitive(drbg->prev);  in drbg_dealloc_state()
1247 		drbg->prev = NULL;  in drbg_dealloc_state()
1248 		drbg->fips_primed = false;  in drbg_dealloc_state()
1253  * Allocate all sub-structures for a DRBG state.
1258 	int ret = -ENOMEM;  in drbg_alloc_state()
1261 	switch (drbg->core->flags & DRBG_TYPE_MASK) {  in drbg_alloc_state()
1264 		drbg->d_ops = &drbg_hmac_ops;  in drbg_alloc_state()
1269 		drbg->d_ops = &drbg_hash_ops;  in drbg_alloc_state()
1274 		drbg->d_ops = &drbg_ctr_ops;  in drbg_alloc_state()
1278 		ret = -EOPNOTSUPP;  in drbg_alloc_state()
1282 	ret = drbg->d_ops->crypto_init(drbg);  in drbg_alloc_state()
1286 	drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);  in drbg_alloc_state()
1287 	if (!drbg->Vbuf) {  in drbg_alloc_state()
1288 		ret = -ENOMEM;  in drbg_alloc_state()
1291 	drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);  in drbg_alloc_state()
1292 	drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);  in drbg_alloc_state()
1293 	if (!drbg->Cbuf) {  in drbg_alloc_state()
1294 		ret = -ENOMEM;  in drbg_alloc_state()
1297 	drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);  in drbg_alloc_state()
1299 	if (drbg->core->flags & DRBG_HMAC)  in drbg_alloc_state()
1301 	else if (drbg->core->flags & DRBG_CTR)  in drbg_alloc_state()
1311 		drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);  in drbg_alloc_state()
1312 		if (!drbg->scratchpadbuf) {  in drbg_alloc_state()
1313 			ret = -ENOMEM;  in drbg_alloc_state()
1316 		drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);  in drbg_alloc_state()
1320 		drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),  in drbg_alloc_state()
1322 		if (!drbg->prev) {  in drbg_alloc_state()
1323 			ret = -ENOMEM;  in drbg_alloc_state()
1326 		drbg->fips_primed = false;  in drbg_alloc_state()
1332 	drbg->d_ops->crypto_fini(drbg);  in drbg_alloc_state()
1343  * DRBG generate function as required by SP800-90A - this function
1347  * @buf Buffer where to store the random numbers -- the buffer must already
1348  *      be pre-allocated by caller
1349  * @buflen Length of output buffer - this value defines the number of random
1351  * @addtl Additional input that is mixed into state, may be NULL -- note
1353  *	  as defined in SP800-90A. The additional input is mixed into
1365 	if (!drbg->core) {  in drbg_generate()
1367 		return -EINVAL;  in drbg_generate()
1371 		return -EINVAL;  in drbg_generate()
1373 	if (addtl && NULL == addtl->buf && 0 < addtl->len) {  in drbg_generate()
1375 		return -EINVAL;  in drbg_generate()
1378 	/* 9.3.1 step 2 */  in drbg_generate()
1379 	len = -EINVAL;  in drbg_generate()
1389 	if (addtl && addtl->len > (drbg_max_addtl(drbg))) {  in drbg_generate()
1391 			 addtl->len);  in drbg_generate()
1397 	 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented  in drbg_generate()
1400 	if (drbg->reseed_threshold < drbg->reseed_ctr)  in drbg_generate()
1401 		drbg->seeded = DRBG_SEED_STATE_UNSEEDED;  in drbg_generate()
1403 	if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) {  in drbg_generate()
1406 			 drbg->pr ? "true" : "false",  in drbg_generate()
1407 			 (drbg->seeded ==  DRBG_SEED_STATE_FULL ?  in drbg_generate()
1416 		   drbg->seeded == DRBG_SEED_STATE_PARTIAL) {  in drbg_generate()
1422 	if (addtl && 0 < addtl->len)  in drbg_generate()
1423 		list_add_tail(&addtl->list, &addtllist);  in drbg_generate()
1425 	len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);  in drbg_generate()
1427 	/* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */  in drbg_generate()
1428 	drbg->reseed_ctr++;  in drbg_generate()
1433 	 * Section 11.3.3 requires to re-perform self tests after some  in drbg_generate()
1448 	if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {  in drbg_generate()
1451 		if (drbg->core->flags & DRBG_HMAC)  in drbg_generate()
1454 		else if (drbg->core->flags & DRBG_CTR)  in drbg_generate()
1488  * Return codes: see drbg_generate -- if one drbg_generate request fails,
1500 		slice = ((buflen - len) / drbg_max_request_bytes(drbg));  in drbg_generate_long()
1501 		chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);  in drbg_generate_long()
1502 		mutex_lock(&drbg->drbg_mutex);  in drbg_generate_long()
1504 		mutex_unlock(&drbg->drbg_mutex);  in drbg_generate_long()
1515 	if (list_empty(&drbg->test_data.list))  in drbg_prepare_hrng()
1518 	drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);  in drbg_prepare_hrng()
1524  * DRBG instantiation function as required by SP800-90A - this function
1526  * checks required by SP800-90A
1528  * @drbg memory of state -- if NULL, new memory is allocated
1529  * @pers Personalization string that is mixed into state, may be NULL -- note
1531  *	 as defined in SP800-90A. The additional input is mixed into
1548 	mutex_lock(&drbg->drbg_mutex);  in drbg_instantiate()
1553 	 * 9.1 step 2 is implicit as caller can select prediction resistance  in drbg_instantiate()
1554 	 * and the flag is copied into drbg->flags --  in drbg_instantiate()
1560 	if (!drbg->core) {  in drbg_instantiate()
1561 		drbg->core = &drbg_cores[coreref];  in drbg_instantiate()
1562 		drbg->pr = pr;  in drbg_instantiate()
1563 		drbg->seeded = DRBG_SEED_STATE_UNSEEDED;  in drbg_instantiate()
1564 		drbg->reseed_threshold = drbg_max_requests(drbg);  in drbg_instantiate()
1574 		if (IS_ERR(drbg->jent)) {  in drbg_instantiate()
1575 			ret = PTR_ERR(drbg->jent);  in drbg_instantiate()
1576 			drbg->jent = NULL;  in drbg_instantiate()
1577 			if (fips_enabled || ret != -ENOENT)  in drbg_instantiate()
1590 	mutex_unlock(&drbg->drbg_mutex);  in drbg_instantiate()
1594 	mutex_unlock(&drbg->drbg_mutex);  in drbg_instantiate()
1598 	mutex_unlock(&drbg->drbg_mutex);  in drbg_instantiate()
1604  * DRBG uninstantiate function as required by SP800-90A - this function
1614 	if (!IS_ERR_OR_NULL(drbg->jent))  in drbg_uninstantiate()
1615 		crypto_free_rng(drbg->jent);  in drbg_uninstantiate()
1616 	drbg->jent = NULL;  in drbg_uninstantiate()
1618 	if (drbg->d_ops)  in drbg_uninstantiate()
1619 		drbg->d_ops->crypto_fini(drbg);  in drbg_uninstantiate()
1621 	/* no scrubbing of test_data -- this shall survive an uninstantiate */  in drbg_uninstantiate()
1637 	mutex_lock(&drbg->drbg_mutex);  in drbg_kcapi_set_entropy()
1638 	drbg_string_fill(&drbg->test_data, data, len);  in drbg_kcapi_set_entropy()
1639 	mutex_unlock(&drbg->drbg_mutex);  in drbg_kcapi_set_entropy()
1657 	tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);  in drbg_init_hash_kernel()
1660 				drbg->core->backend_cra_name);  in drbg_init_hash_kernel()
1668 		return -ENOMEM;  in drbg_init_hash_kernel()
1671 	sdesc->shash.tfm = tfm;  in drbg_init_hash_kernel()
1672 	drbg->priv_data = sdesc;  in drbg_init_hash_kernel()
1679 	struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;  in drbg_fini_hash_kernel()
1681 		crypto_free_shash(sdesc->shash.tfm);  in drbg_fini_hash_kernel()
1684 	drbg->priv_data = NULL;  in drbg_fini_hash_kernel()
1691 	struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;  in drbg_kcapi_hmacsetkey()
1693 	crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));  in drbg_kcapi_hmacsetkey()
1699 	struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;  in drbg_kcapi_hash()
1702 	crypto_shash_init(&sdesc->shash);  in drbg_kcapi_hash()
1704 		crypto_shash_update(&sdesc->shash, input->buf, input->len);  in drbg_kcapi_hash()
1705 	return crypto_shash_final(&sdesc->shash, outval);  in drbg_kcapi_hash()
1713 		(struct crypto_cipher *)drbg->priv_data;  in drbg_fini_sym_kernel()
1716 	drbg->priv_data = NULL;  in drbg_fini_sym_kernel()
1718 	if (drbg->ctr_handle)  in drbg_fini_sym_kernel()
1719 		crypto_free_skcipher(drbg->ctr_handle);  in drbg_fini_sym_kernel()
1720 	drbg->ctr_handle = NULL;  in drbg_fini_sym_kernel()
1722 	if (drbg->ctr_req)  in drbg_fini_sym_kernel()
1723 		skcipher_request_free(drbg->ctr_req);  in drbg_fini_sym_kernel()
1724 	drbg->ctr_req = NULL;  in drbg_fini_sym_kernel()
1726 	kfree(drbg->outscratchpadbuf);  in drbg_fini_sym_kernel()
1727 	drbg->outscratchpadbuf = NULL;  in drbg_fini_sym_kernel()
1740 	tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);  in drbg_init_sym_kernel()
1743 				drbg->core->backend_cra_name);  in drbg_init_sym_kernel()
1747 	drbg->priv_data = tfm;  in drbg_init_sym_kernel()
1750 	    drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {  in drbg_init_sym_kernel()
1752 		return -EINVAL;  in drbg_init_sym_kernel()
1761 	drbg->ctr_handle = sk_tfm;  in drbg_init_sym_kernel()
1762 	crypto_init_wait(&drbg->ctr_wait);  in drbg_init_sym_kernel()
1768 		return -ENOMEM;  in drbg_init_sym_kernel()
1770 	drbg->ctr_req = req;  in drbg_init_sym_kernel()
1773 					crypto_req_done, &drbg->ctr_wait);  in drbg_init_sym_kernel()
1776 	drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,  in drbg_init_sym_kernel()
1778 	if (!drbg->outscratchpadbuf) {  in drbg_init_sym_kernel()
1780 		return -ENOMEM;  in drbg_init_sym_kernel()
1782 	drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,  in drbg_init_sym_kernel()
1785 	sg_init_table(&drbg->sg_in, 1);  in drbg_init_sym_kernel()
1786 	sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);  in drbg_init_sym_kernel()
1795 		(struct crypto_cipher *)drbg->priv_data;  in drbg_kcapi_symsetkey()
1804 		(struct crypto_cipher *)drbg->priv_data;  in drbg_kcapi_sym()
1807 	BUG_ON(in->len < drbg_blocklen(drbg));  in drbg_kcapi_sym()
1808 	crypto_cipher_encrypt_one(tfm, outval, in->buf);  in drbg_kcapi_sym()
1816 	struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;  in drbg_kcapi_sym_ctr()
1821 		/* Use caller-provided input buffer */  in drbg_kcapi_sym_ctr()
1824 		/* Use scratchpad for in-place operation */  in drbg_kcapi_sym_ctr()
1826 		memset(drbg->outscratchpad, 0, scratchpad_use);  in drbg_kcapi_sym_ctr()
1827 		sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);  in drbg_kcapi_sym_ctr()
1834 		skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out,  in drbg_kcapi_sym_ctr()
1835 					   cryptlen, drbg->V);  in drbg_kcapi_sym_ctr()
1836 		ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),  in drbg_kcapi_sym_ctr()
1837 					&drbg->ctr_wait);  in drbg_kcapi_sym_ctr()
1841 		crypto_init_wait(&drbg->ctr_wait);  in drbg_kcapi_sym_ctr()
1843 		memcpy(outbuf, drbg->outscratchpad, cryptlen);  in drbg_kcapi_sym_ctr()
1844 		memzero_explicit(drbg->outscratchpad, cryptlen);  in drbg_kcapi_sym_ctr()
1846 		outlen -= cryptlen;  in drbg_kcapi_sym_ctr()
1890 	len = strlen(cra_driver_name) - start;  in drbg_convert_tfm_core()
1904 	mutex_init(&drbg->drbg_mutex);  in drbg_kcapi_init()
1968  * Tests as defined in 11.3.2 in addition to the cipher tests: testing
1971  * Note: testing of failing seed source as defined in 11.3.2 is not applicable
1974  * Note 2: There is no sensible way of testing the reseed counter
1983 	int ret = -EFAULT;  in drbg_healthcheck_sanity()
1984 	int rc = -EFAULT;  in drbg_healthcheck_sanity()
1990 	/* only perform test in FIPS mode */  in drbg_healthcheck_sanity()
2004 		return -ENOMEM;  in drbg_healthcheck_sanity()
2006 	mutex_init(&drbg->drbg_mutex);  in drbg_healthcheck_sanity()
2007 	drbg->core = &drbg_cores[coreref];  in drbg_healthcheck_sanity()
2008 	drbg->reseed_threshold = drbg_max_requests(drbg);  in drbg_healthcheck_sanity()
2013 	 * string lengths -- in case the error handling does not succeed  in drbg_healthcheck_sanity()
2054 	memcpy(alg->base.cra_name, "stdrng", 6);  in drbg_fill_array()
2056 		memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);  in drbg_fill_array()
2059 		memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);  in drbg_fill_array()
2062 	memcpy(alg->base.cra_driver_name + pos, core->cra_name,  in drbg_fill_array()
2063 	       strlen(core->cra_name));  in drbg_fill_array()
2065 	alg->base.cra_priority = priority;  in drbg_fill_array()
2068 	 * If FIPS mode enabled, the selected DRBG shall have the  in drbg_fill_array()
2073 		alg->base.cra_priority += 200;  in drbg_fill_array()
2075 	alg->base.cra_ctxsize 	= sizeof(struct drbg_state);  in drbg_fill_array()
2076 	alg->base.cra_module	= THIS_MODULE;  in drbg_fill_array()
2077 	alg->base.cra_init	= drbg_kcapi_init;  in drbg_fill_array()
2078 	alg->base.cra_exit	= drbg_kcapi_cleanup;  in drbg_fill_array()
2079 	alg->generate		= drbg_kcapi_random;  in drbg_fill_array()
2080 	alg->seed		= drbg_kcapi_seed;  in drbg_fill_array()
2081 	alg->set_ent		= drbg_kcapi_set_entropy;  in drbg_fill_array()
2082 	alg->seedsize		= 0;  in drbg_fill_array()
2095 	if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {  in drbg_init()
2098 			ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));  in drbg_init()
2099 		return -EFAULT;  in drbg_init()
2115 	return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));  in drbg_init()
2120 	crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));  in drbg_exit()
2136 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "