2 * PRNG: Pseudo Random Number Generator
3 * Based on NIST Recommended PRNG From ANSI X9.31 Appendix A.2.4 using
6 * (C) Neil Horman <nhorman@tuxdriver.com>
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
16 #include <crypto/internal/rng.h>
17 #include <linux/err.h>
18 #include <linux/init.h>
19 #include <linux/module.h>
20 #include <linux/moduleparam.h>
21 #include <linux/string.h>
25 #define DEFAULT_PRNG_KEY "0123456789abcdef"
26 #define DEFAULT_PRNG_KSZ 16
27 #define DEFAULT_BLK_SZ 16
28 #define DEFAULT_V_SEED "zaybxcwdveuftgsh"
31 * Flags for the prng_context flags field
34 #define PRNG_FIXED_SIZE 0x1
35 #define PRNG_NEED_RESET 0x2
38 * Note: DT is our counter value
39 * I is our intermediate value
40 * V is our seed vector
41 * See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
42 * for implementation details
48 unsigned char rand_data
[DEFAULT_BLK_SZ
];
49 unsigned char last_rand_data
[DEFAULT_BLK_SZ
];
50 unsigned char DT
[DEFAULT_BLK_SZ
];
51 unsigned char I
[DEFAULT_BLK_SZ
];
52 unsigned char V
[DEFAULT_BLK_SZ
];
54 struct crypto_cipher
*tfm
;
60 static void hexdump(char *note
, unsigned char *buf
, unsigned int len
)
63 printk(KERN_CRIT
"%s", note
);
64 print_hex_dump(KERN_CONT
, "", DUMP_PREFIX_OFFSET
,
70 #define dbgprint(format, args...) do {\
72 printk(format, ##args);\
75 static void xor_vectors(unsigned char *in1
, unsigned char *in2
,
76 unsigned char *out
, unsigned int size
)
80 for (i
= 0; i
< size
; i
++)
81 out
[i
] = in1
[i
] ^ in2
[i
];
85 * Returns DEFAULT_BLK_SZ bytes of random data per call
86 * returns 0 if generation succeeded, <0 if something went wrong
88 static int _get_more_prng_bytes(struct prng_context
*ctx
, int cont_test
)
91 unsigned char tmp
[DEFAULT_BLK_SZ
];
92 unsigned char *output
= NULL
;
95 dbgprint(KERN_CRIT
"Calling _get_more_prng_bytes for context %p\n",
98 hexdump("Input DT: ", ctx
->DT
, DEFAULT_BLK_SZ
);
99 hexdump("Input I: ", ctx
->I
, DEFAULT_BLK_SZ
);
100 hexdump("Input V: ", ctx
->V
, DEFAULT_BLK_SZ
);
103 * This algorithm is a 3 stage state machine
105 for (i
= 0; i
< 3; i
++) {
110 * Start by encrypting the counter value
111 * This gives us an intermediate value I
113 memcpy(tmp
, ctx
->DT
, DEFAULT_BLK_SZ
);
115 hexdump("tmp stage 0: ", tmp
, DEFAULT_BLK_SZ
);
120 * Next xor I with our secret vector V
121 * encrypt that result to obtain our
122 * pseudo random data which we output
124 xor_vectors(ctx
->I
, ctx
->V
, tmp
, DEFAULT_BLK_SZ
);
125 hexdump("tmp stage 1: ", tmp
, DEFAULT_BLK_SZ
);
126 output
= ctx
->rand_data
;
130 * First check that we didn't produce the same
131 * random data that we did last time around through this
133 if (!memcmp(ctx
->rand_data
, ctx
->last_rand_data
,
136 panic("cprng %p Failed repetition check!\n",
141 "ctx %p Failed repetition check!\n",
144 ctx
->flags
|= PRNG_NEED_RESET
;
147 memcpy(ctx
->last_rand_data
, ctx
->rand_data
,
151 * Lastly xor the random data with I
152 * and encrypt that to obtain a new secret vector V
154 xor_vectors(ctx
->rand_data
, ctx
->I
, tmp
,
157 hexdump("tmp stage 2: ", tmp
, DEFAULT_BLK_SZ
);
162 /* do the encryption */
163 crypto_cipher_encrypt_one(ctx
->tfm
, output
, tmp
);
168 * Now update our DT value
170 for (i
= DEFAULT_BLK_SZ
- 1; i
>= 0; i
--) {
176 dbgprint("Returning new block for context %p\n", ctx
);
177 ctx
->rand_data_valid
= 0;
179 hexdump("Output DT: ", ctx
->DT
, DEFAULT_BLK_SZ
);
180 hexdump("Output I: ", ctx
->I
, DEFAULT_BLK_SZ
);
181 hexdump("Output V: ", ctx
->V
, DEFAULT_BLK_SZ
);
182 hexdump("New Random Data: ", ctx
->rand_data
, DEFAULT_BLK_SZ
);
187 /* Our exported functions */
188 static int get_prng_bytes(char *buf
, size_t nbytes
, struct prng_context
*ctx
,
191 unsigned char *ptr
= buf
;
192 unsigned int byte_count
= (unsigned int)nbytes
;
196 spin_lock_bh(&ctx
->prng_lock
);
199 if (ctx
->flags
& PRNG_NEED_RESET
)
203 * If the FIXED_SIZE flag is on, only return whole blocks of
207 if (ctx
->flags
& PRNG_FIXED_SIZE
) {
208 if (nbytes
< DEFAULT_BLK_SZ
)
210 byte_count
= DEFAULT_BLK_SZ
;
215 dbgprint(KERN_CRIT
"getting %d random bytes for context %p\n",
220 if (ctx
->rand_data_valid
== DEFAULT_BLK_SZ
) {
221 if (_get_more_prng_bytes(ctx
, do_cont_test
) < 0) {
222 memset(buf
, 0, nbytes
);
229 * Copy any data less than an entire block
231 if (byte_count
< DEFAULT_BLK_SZ
) {
233 while (ctx
->rand_data_valid
< DEFAULT_BLK_SZ
) {
234 *ptr
= ctx
->rand_data
[ctx
->rand_data_valid
];
237 ctx
->rand_data_valid
++;
244 * Now copy whole blocks
246 for (; byte_count
>= DEFAULT_BLK_SZ
; byte_count
-= DEFAULT_BLK_SZ
) {
247 if (ctx
->rand_data_valid
== DEFAULT_BLK_SZ
) {
248 if (_get_more_prng_bytes(ctx
, do_cont_test
) < 0) {
249 memset(buf
, 0, nbytes
);
254 if (ctx
->rand_data_valid
> 0)
256 memcpy(ptr
, ctx
->rand_data
, DEFAULT_BLK_SZ
);
257 ctx
->rand_data_valid
+= DEFAULT_BLK_SZ
;
258 ptr
+= DEFAULT_BLK_SZ
;
262 * Now go back and get any remaining partial block
268 spin_unlock_bh(&ctx
->prng_lock
);
269 dbgprint(KERN_CRIT
"returning %d from get_prng_bytes in context %p\n",
274 static void free_prng_context(struct prng_context
*ctx
)
276 crypto_free_cipher(ctx
->tfm
);
279 static int reset_prng_context(struct prng_context
*ctx
,
280 unsigned char *key
, size_t klen
,
281 unsigned char *V
, unsigned char *DT
)
284 unsigned char *prng_key
;
286 spin_lock_bh(&ctx
->prng_lock
);
287 ctx
->flags
|= PRNG_NEED_RESET
;
289 prng_key
= (key
!= NULL
) ? key
: (unsigned char *)DEFAULT_PRNG_KEY
;
292 klen
= DEFAULT_PRNG_KSZ
;
295 memcpy(ctx
->V
, V
, DEFAULT_BLK_SZ
);
297 memcpy(ctx
->V
, DEFAULT_V_SEED
, DEFAULT_BLK_SZ
);
300 memcpy(ctx
->DT
, DT
, DEFAULT_BLK_SZ
);
302 memset(ctx
->DT
, 0, DEFAULT_BLK_SZ
);
304 memset(ctx
->rand_data
, 0, DEFAULT_BLK_SZ
);
305 memset(ctx
->last_rand_data
, 0, DEFAULT_BLK_SZ
);
307 ctx
->rand_data_valid
= DEFAULT_BLK_SZ
;
309 ret
= crypto_cipher_setkey(ctx
->tfm
, prng_key
, klen
);
311 dbgprint(KERN_CRIT
"PRNG: setkey() failed flags=%x\n",
312 crypto_cipher_get_flags(ctx
->tfm
));
317 ctx
->flags
&= ~PRNG_NEED_RESET
;
319 spin_unlock_bh(&ctx
->prng_lock
);
323 static int cprng_init(struct crypto_tfm
*tfm
)
325 struct prng_context
*ctx
= crypto_tfm_ctx(tfm
);
327 spin_lock_init(&ctx
->prng_lock
);
328 ctx
->tfm
= crypto_alloc_cipher("aes", 0, 0);
329 if (IS_ERR(ctx
->tfm
)) {
330 dbgprint(KERN_CRIT
"Failed to alloc tfm for context %p\n",
332 return PTR_ERR(ctx
->tfm
);
335 if (reset_prng_context(ctx
, NULL
, DEFAULT_PRNG_KSZ
, NULL
, NULL
) < 0)
339 * after allocation, we should always force the user to reset
340 * so they don't inadvertently use the insecure default values
341 * without specifying them intentially
343 ctx
->flags
|= PRNG_NEED_RESET
;
347 static void cprng_exit(struct crypto_tfm
*tfm
)
349 free_prng_context(crypto_tfm_ctx(tfm
));
352 static int cprng_get_random(struct crypto_rng
*tfm
, u8
*rdata
,
355 struct prng_context
*prng
= crypto_rng_ctx(tfm
);
357 return get_prng_bytes(rdata
, dlen
, prng
, 0);
361 * This is the cprng_registered reset method the seed value is
362 * interpreted as the tuple { V KEY DT}
363 * V and KEY are required during reset, and DT is optional, detected
364 * as being present by testing the length of the seed
366 static int cprng_reset(struct crypto_rng
*tfm
, u8
*seed
, unsigned int slen
)
368 struct prng_context
*prng
= crypto_rng_ctx(tfm
);
369 u8
*key
= seed
+ DEFAULT_BLK_SZ
;
372 if (slen
< DEFAULT_PRNG_KSZ
+ DEFAULT_BLK_SZ
)
375 if (slen
>= (2 * DEFAULT_BLK_SZ
+ DEFAULT_PRNG_KSZ
))
376 dt
= key
+ DEFAULT_PRNG_KSZ
;
378 reset_prng_context(prng
, key
, DEFAULT_PRNG_KSZ
, seed
, dt
);
380 if (prng
->flags
& PRNG_NEED_RESET
)
385 #ifdef CONFIG_CRYPTO_FIPS
386 static int fips_cprng_get_random(struct crypto_rng
*tfm
, u8
*rdata
,
389 struct prng_context
*prng
= crypto_rng_ctx(tfm
);
391 return get_prng_bytes(rdata
, dlen
, prng
, 1);
394 static int fips_cprng_reset(struct crypto_rng
*tfm
, u8
*seed
, unsigned int slen
)
396 u8 rdata
[DEFAULT_BLK_SZ
];
397 u8
*key
= seed
+ DEFAULT_BLK_SZ
;
400 struct prng_context
*prng
= crypto_rng_ctx(tfm
);
402 if (slen
< DEFAULT_PRNG_KSZ
+ DEFAULT_BLK_SZ
)
405 /* fips strictly requires seed != key */
406 if (!memcmp(seed
, key
, DEFAULT_PRNG_KSZ
))
409 rc
= cprng_reset(tfm
, seed
, slen
);
414 /* this primes our continuity test */
415 rc
= get_prng_bytes(rdata
, DEFAULT_BLK_SZ
, prng
, 0);
416 prng
->rand_data_valid
= DEFAULT_BLK_SZ
;
423 static struct crypto_alg rng_algs
[] = { {
424 .cra_name
= "stdrng",
425 .cra_driver_name
= "ansi_cprng",
427 .cra_flags
= CRYPTO_ALG_TYPE_RNG
,
428 .cra_ctxsize
= sizeof(struct prng_context
),
429 .cra_type
= &crypto_rng_type
,
430 .cra_module
= THIS_MODULE
,
431 .cra_init
= cprng_init
,
432 .cra_exit
= cprng_exit
,
435 .rng_make_random
= cprng_get_random
,
436 .rng_reset
= cprng_reset
,
437 .seedsize
= DEFAULT_PRNG_KSZ
+ 2*DEFAULT_BLK_SZ
,
440 #ifdef CONFIG_CRYPTO_FIPS
442 .cra_name
= "fips(ansi_cprng)",
443 .cra_driver_name
= "fips_ansi_cprng",
445 .cra_flags
= CRYPTO_ALG_TYPE_RNG
,
446 .cra_ctxsize
= sizeof(struct prng_context
),
447 .cra_type
= &crypto_rng_type
,
448 .cra_module
= THIS_MODULE
,
449 .cra_init
= cprng_init
,
450 .cra_exit
= cprng_exit
,
453 .rng_make_random
= fips_cprng_get_random
,
454 .rng_reset
= fips_cprng_reset
,
455 .seedsize
= DEFAULT_PRNG_KSZ
+ 2*DEFAULT_BLK_SZ
,
461 /* Module initalization */
462 static int __init
prng_mod_init(void)
464 return crypto_register_algs(rng_algs
, ARRAY_SIZE(rng_algs
));
467 static void __exit
prng_mod_fini(void)
469 crypto_unregister_algs(rng_algs
, ARRAY_SIZE(rng_algs
));
472 MODULE_LICENSE("GPL");
473 MODULE_DESCRIPTION("Software Pseudo Random Number Generator");
474 MODULE_AUTHOR("Neil Horman <nhorman@tuxdriver.com>");
475 module_param(dbg
, int, 0);
476 MODULE_PARM_DESC(dbg
, "Boolean to enable debugging (0/1 == off/on)");
477 module_init(prng_mod_init
);
478 module_exit(prng_mod_fini
);
479 MODULE_ALIAS_CRYPTO("stdrng");
480 MODULE_ALIAS_CRYPTO("ansi_cprng");