2 * PRNG: Pseudo Random Number Generator
3 * Based on NIST Recommended PRNG From ANSI X9.31 Appendix A.2.4 using
6 * (C) Neil Horman <nhorman@tuxdriver.com>
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
16 #include <crypto/internal/rng.h>
17 #include <linux/err.h>
18 #include <linux/init.h>
19 #include <linux/module.h>
20 #include <linux/moduleparam.h>
21 #include <linux/string.h>
25 #define DEFAULT_PRNG_KEY "0123456789abcdef"
26 #define DEFAULT_PRNG_KSZ 16
27 #define DEFAULT_BLK_SZ 16
28 #define DEFAULT_V_SEED "zaybxcwdveuftgsh"
31 * Flags for the prng_context flags field
34 #define PRNG_FIXED_SIZE 0x1
35 #define PRNG_NEED_RESET 0x2
38 * Note: DT is our counter value
39 * I is our intermediate value
40 * V is our seed vector
41 * See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
42 * for implementation details
48 unsigned char rand_data
[DEFAULT_BLK_SZ
];
49 unsigned char last_rand_data
[DEFAULT_BLK_SZ
];
50 unsigned char DT
[DEFAULT_BLK_SZ
];
51 unsigned char I
[DEFAULT_BLK_SZ
];
52 unsigned char V
[DEFAULT_BLK_SZ
];
54 struct crypto_cipher
*tfm
;
60 static void hexdump(char *note
, unsigned char *buf
, unsigned int len
)
63 printk(KERN_CRIT
"%s", note
);
64 print_hex_dump(KERN_CONT
, "", DUMP_PREFIX_OFFSET
,
70 #define dbgprint(format, args...) do {\
72 printk(format, ##args);\
75 static void xor_vectors(unsigned char *in1
, unsigned char *in2
,
76 unsigned char *out
, unsigned int size
)
80 for (i
= 0; i
< size
; i
++)
81 out
[i
] = in1
[i
] ^ in2
[i
];
85 * Returns DEFAULT_BLK_SZ bytes of random data per call
86 * returns 0 if generation succeeded, <0 if something went wrong
88 static int _get_more_prng_bytes(struct prng_context
*ctx
, int cont_test
)
91 unsigned char tmp
[DEFAULT_BLK_SZ
];
92 unsigned char *output
= NULL
;
95 dbgprint(KERN_CRIT
"Calling _get_more_prng_bytes for context %p\n",
98 hexdump("Input DT: ", ctx
->DT
, DEFAULT_BLK_SZ
);
99 hexdump("Input I: ", ctx
->I
, DEFAULT_BLK_SZ
);
100 hexdump("Input V: ", ctx
->V
, DEFAULT_BLK_SZ
);
103 * This algorithm is a 3 stage state machine
105 for (i
= 0; i
< 3; i
++) {
110 * Start by encrypting the counter value
111 * This gives us an intermediate value I
113 memcpy(tmp
, ctx
->DT
, DEFAULT_BLK_SZ
);
115 hexdump("tmp stage 0: ", tmp
, DEFAULT_BLK_SZ
);
120 * Next xor I with our secret vector V
121 * encrypt that result to obtain our
122 * pseudo random data which we output
124 xor_vectors(ctx
->I
, ctx
->V
, tmp
, DEFAULT_BLK_SZ
);
125 hexdump("tmp stage 1: ", tmp
, DEFAULT_BLK_SZ
);
126 output
= ctx
->rand_data
;
130 * First check that we didn't produce the same
131 * random data that we did last time around through this
133 if (!memcmp(ctx
->rand_data
, ctx
->last_rand_data
,
136 panic("cprng %p Failed repetition check!\n",
141 "ctx %p Failed repetition check!\n",
144 ctx
->flags
|= PRNG_NEED_RESET
;
147 memcpy(ctx
->last_rand_data
, ctx
->rand_data
,
151 * Lastly xor the random data with I
152 * and encrypt that to obtain a new secret vector V
154 xor_vectors(ctx
->rand_data
, ctx
->I
, tmp
,
157 hexdump("tmp stage 2: ", tmp
, DEFAULT_BLK_SZ
);
162 /* do the encryption */
163 crypto_cipher_encrypt_one(ctx
->tfm
, output
, tmp
);
168 * Now update our DT value
170 for (i
= DEFAULT_BLK_SZ
- 1; i
>= 0; i
--) {
176 dbgprint("Returning new block for context %p\n", ctx
);
177 ctx
->rand_data_valid
= 0;
179 hexdump("Output DT: ", ctx
->DT
, DEFAULT_BLK_SZ
);
180 hexdump("Output I: ", ctx
->I
, DEFAULT_BLK_SZ
);
181 hexdump("Output V: ", ctx
->V
, DEFAULT_BLK_SZ
);
182 hexdump("New Random Data: ", ctx
->rand_data
, DEFAULT_BLK_SZ
);
187 /* Our exported functions */
188 static int get_prng_bytes(char *buf
, size_t nbytes
, struct prng_context
*ctx
,
191 unsigned char *ptr
= buf
;
192 unsigned int byte_count
= (unsigned int)nbytes
;
196 spin_lock_bh(&ctx
->prng_lock
);
199 if (ctx
->flags
& PRNG_NEED_RESET
)
203 * If the FIXED_SIZE flag is on, only return whole blocks of
207 if (ctx
->flags
& PRNG_FIXED_SIZE
) {
208 if (nbytes
< DEFAULT_BLK_SZ
)
210 byte_count
= DEFAULT_BLK_SZ
;
214 * Return 0 in case of success as mandated by the kernel
215 * crypto API interface definition.
219 dbgprint(KERN_CRIT
"getting %d random bytes for context %p\n",
224 if (ctx
->rand_data_valid
== DEFAULT_BLK_SZ
) {
225 if (_get_more_prng_bytes(ctx
, do_cont_test
) < 0) {
226 memset(buf
, 0, nbytes
);
233 * Copy any data less than an entire block
235 if (byte_count
< DEFAULT_BLK_SZ
) {
237 while (ctx
->rand_data_valid
< DEFAULT_BLK_SZ
) {
238 *ptr
= ctx
->rand_data
[ctx
->rand_data_valid
];
241 ctx
->rand_data_valid
++;
248 * Now copy whole blocks
250 for (; byte_count
>= DEFAULT_BLK_SZ
; byte_count
-= DEFAULT_BLK_SZ
) {
251 if (ctx
->rand_data_valid
== DEFAULT_BLK_SZ
) {
252 if (_get_more_prng_bytes(ctx
, do_cont_test
) < 0) {
253 memset(buf
, 0, nbytes
);
258 if (ctx
->rand_data_valid
> 0)
260 memcpy(ptr
, ctx
->rand_data
, DEFAULT_BLK_SZ
);
261 ctx
->rand_data_valid
+= DEFAULT_BLK_SZ
;
262 ptr
+= DEFAULT_BLK_SZ
;
266 * Now go back and get any remaining partial block
272 spin_unlock_bh(&ctx
->prng_lock
);
273 dbgprint(KERN_CRIT
"returning %d from get_prng_bytes in context %p\n",
278 static void free_prng_context(struct prng_context
*ctx
)
280 crypto_free_cipher(ctx
->tfm
);
283 static int reset_prng_context(struct prng_context
*ctx
,
284 unsigned char *key
, size_t klen
,
285 unsigned char *V
, unsigned char *DT
)
288 unsigned char *prng_key
;
290 spin_lock_bh(&ctx
->prng_lock
);
291 ctx
->flags
|= PRNG_NEED_RESET
;
293 prng_key
= (key
!= NULL
) ? key
: (unsigned char *)DEFAULT_PRNG_KEY
;
296 klen
= DEFAULT_PRNG_KSZ
;
299 memcpy(ctx
->V
, V
, DEFAULT_BLK_SZ
);
301 memcpy(ctx
->V
, DEFAULT_V_SEED
, DEFAULT_BLK_SZ
);
304 memcpy(ctx
->DT
, DT
, DEFAULT_BLK_SZ
);
306 memset(ctx
->DT
, 0, DEFAULT_BLK_SZ
);
308 memset(ctx
->rand_data
, 0, DEFAULT_BLK_SZ
);
309 memset(ctx
->last_rand_data
, 0, DEFAULT_BLK_SZ
);
311 ctx
->rand_data_valid
= DEFAULT_BLK_SZ
;
313 ret
= crypto_cipher_setkey(ctx
->tfm
, prng_key
, klen
);
315 dbgprint(KERN_CRIT
"PRNG: setkey() failed flags=%x\n",
316 crypto_cipher_get_flags(ctx
->tfm
));
321 ctx
->flags
&= ~PRNG_NEED_RESET
;
323 spin_unlock_bh(&ctx
->prng_lock
);
327 static int cprng_init(struct crypto_tfm
*tfm
)
329 struct prng_context
*ctx
= crypto_tfm_ctx(tfm
);
331 spin_lock_init(&ctx
->prng_lock
);
332 ctx
->tfm
= crypto_alloc_cipher("aes", 0, 0);
333 if (IS_ERR(ctx
->tfm
)) {
334 dbgprint(KERN_CRIT
"Failed to alloc tfm for context %p\n",
336 return PTR_ERR(ctx
->tfm
);
339 if (reset_prng_context(ctx
, NULL
, DEFAULT_PRNG_KSZ
, NULL
, NULL
) < 0)
343 * after allocation, we should always force the user to reset
344 * so they don't inadvertently use the insecure default values
345 * without specifying them intentially
347 ctx
->flags
|= PRNG_NEED_RESET
;
351 static void cprng_exit(struct crypto_tfm
*tfm
)
353 free_prng_context(crypto_tfm_ctx(tfm
));
356 static int cprng_get_random(struct crypto_rng
*tfm
, u8
*rdata
,
359 struct prng_context
*prng
= crypto_rng_ctx(tfm
);
361 return get_prng_bytes(rdata
, dlen
, prng
, 0);
365 * This is the cprng_registered reset method the seed value is
366 * interpreted as the tuple { V KEY DT}
367 * V and KEY are required during reset, and DT is optional, detected
368 * as being present by testing the length of the seed
370 static int cprng_reset(struct crypto_rng
*tfm
, u8
*seed
, unsigned int slen
)
372 struct prng_context
*prng
= crypto_rng_ctx(tfm
);
373 u8
*key
= seed
+ DEFAULT_BLK_SZ
;
376 if (slen
< DEFAULT_PRNG_KSZ
+ DEFAULT_BLK_SZ
)
379 if (slen
>= (2 * DEFAULT_BLK_SZ
+ DEFAULT_PRNG_KSZ
))
380 dt
= key
+ DEFAULT_PRNG_KSZ
;
382 reset_prng_context(prng
, key
, DEFAULT_PRNG_KSZ
, seed
, dt
);
384 if (prng
->flags
& PRNG_NEED_RESET
)
389 #ifdef CONFIG_CRYPTO_FIPS
390 static int fips_cprng_get_random(struct crypto_rng
*tfm
, u8
*rdata
,
393 struct prng_context
*prng
= crypto_rng_ctx(tfm
);
395 return get_prng_bytes(rdata
, dlen
, prng
, 1);
398 static int fips_cprng_reset(struct crypto_rng
*tfm
, u8
*seed
, unsigned int slen
)
400 u8 rdata
[DEFAULT_BLK_SZ
];
401 u8
*key
= seed
+ DEFAULT_BLK_SZ
;
404 struct prng_context
*prng
= crypto_rng_ctx(tfm
);
406 if (slen
< DEFAULT_PRNG_KSZ
+ DEFAULT_BLK_SZ
)
409 /* fips strictly requires seed != key */
410 if (!memcmp(seed
, key
, DEFAULT_PRNG_KSZ
))
413 rc
= cprng_reset(tfm
, seed
, slen
);
418 /* this primes our continuity test */
419 rc
= get_prng_bytes(rdata
, DEFAULT_BLK_SZ
, prng
, 0);
420 prng
->rand_data_valid
= DEFAULT_BLK_SZ
;
427 static struct crypto_alg rng_algs
[] = { {
428 .cra_name
= "stdrng",
429 .cra_driver_name
= "ansi_cprng",
431 .cra_flags
= CRYPTO_ALG_TYPE_RNG
,
432 .cra_ctxsize
= sizeof(struct prng_context
),
433 .cra_type
= &crypto_rng_type
,
434 .cra_module
= THIS_MODULE
,
435 .cra_init
= cprng_init
,
436 .cra_exit
= cprng_exit
,
439 .rng_make_random
= cprng_get_random
,
440 .rng_reset
= cprng_reset
,
441 .seedsize
= DEFAULT_PRNG_KSZ
+ 2*DEFAULT_BLK_SZ
,
444 #ifdef CONFIG_CRYPTO_FIPS
446 .cra_name
= "fips(ansi_cprng)",
447 .cra_driver_name
= "fips_ansi_cprng",
449 .cra_flags
= CRYPTO_ALG_TYPE_RNG
,
450 .cra_ctxsize
= sizeof(struct prng_context
),
451 .cra_type
= &crypto_rng_type
,
452 .cra_module
= THIS_MODULE
,
453 .cra_init
= cprng_init
,
454 .cra_exit
= cprng_exit
,
457 .rng_make_random
= fips_cprng_get_random
,
458 .rng_reset
= fips_cprng_reset
,
459 .seedsize
= DEFAULT_PRNG_KSZ
+ 2*DEFAULT_BLK_SZ
,
465 /* Module initalization */
466 static int __init
prng_mod_init(void)
468 return crypto_register_algs(rng_algs
, ARRAY_SIZE(rng_algs
));
471 static void __exit
prng_mod_fini(void)
473 crypto_unregister_algs(rng_algs
, ARRAY_SIZE(rng_algs
));
476 MODULE_LICENSE("GPL");
477 MODULE_DESCRIPTION("Software Pseudo Random Number Generator");
478 MODULE_AUTHOR("Neil Horman <nhorman@tuxdriver.com>");
479 module_param(dbg
, int, 0);
480 MODULE_PARM_DESC(dbg
, "Boolean to enable debugging (0/1 == off/on)");
481 module_init(prng_mod_init
);
482 module_exit(prng_mod_fini
);
483 MODULE_ALIAS_CRYPTO("stdrng");
484 MODULE_ALIAS_CRYPTO("ansi_cprng");