2 * PRNG: Pseudo Random Number Generator
3 * Based on NIST Recommended PRNG From ANSI X9.31 Appendix A.2.4 using
6 * (C) Neil Horman <nhorman@tuxdriver.com>
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
16 #include <crypto/internal/rng.h>
17 #include <linux/err.h>
18 #include <linux/init.h>
19 #include <linux/module.h>
20 #include <linux/moduleparam.h>
21 #include <linux/string.h>
25 #define DEFAULT_PRNG_KEY "0123456789abcdef"
26 #define DEFAULT_PRNG_KSZ 16
27 #define DEFAULT_BLK_SZ 16
28 #define DEFAULT_V_SEED "zaybxcwdveuftgsh"
31 * Flags for the prng_context flags field
34 #define PRNG_FIXED_SIZE 0x1
35 #define PRNG_NEED_RESET 0x2
38 * Note: DT is our counter value
39 * I is our intermediate value
40 * V is our seed vector
41 * See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
42 * for implementation details
48 unsigned char rand_data
[DEFAULT_BLK_SZ
];
49 unsigned char last_rand_data
[DEFAULT_BLK_SZ
];
50 unsigned char DT
[DEFAULT_BLK_SZ
];
51 unsigned char I
[DEFAULT_BLK_SZ
];
52 unsigned char V
[DEFAULT_BLK_SZ
];
54 struct crypto_cipher
*tfm
;
60 static void hexdump(char *note
, unsigned char *buf
, unsigned int len
)
63 printk(KERN_CRIT
"%s", note
);
64 print_hex_dump(KERN_CONT
, "", DUMP_PREFIX_OFFSET
,
70 #define dbgprint(format, args...) do {\
72 printk(format, ##args);\
75 static void xor_vectors(unsigned char *in1
, unsigned char *in2
,
76 unsigned char *out
, unsigned int size
)
80 for (i
= 0; i
< size
; i
++)
81 out
[i
] = in1
[i
] ^ in2
[i
];
85 * Returns DEFAULT_BLK_SZ bytes of random data per call
86 * returns 0 if generation succeded, <0 if something went wrong
88 static int _get_more_prng_bytes(struct prng_context
*ctx
)
91 unsigned char tmp
[DEFAULT_BLK_SZ
];
92 unsigned char *output
= NULL
;
95 dbgprint(KERN_CRIT
"Calling _get_more_prng_bytes for context %p\n",
98 hexdump("Input DT: ", ctx
->DT
, DEFAULT_BLK_SZ
);
99 hexdump("Input I: ", ctx
->I
, DEFAULT_BLK_SZ
);
100 hexdump("Input V: ", ctx
->V
, DEFAULT_BLK_SZ
);
103 * This algorithm is a 3 stage state machine
105 for (i
= 0; i
< 3; i
++) {
110 * Start by encrypting the counter value
111 * This gives us an intermediate value I
113 memcpy(tmp
, ctx
->DT
, DEFAULT_BLK_SZ
);
115 hexdump("tmp stage 0: ", tmp
, DEFAULT_BLK_SZ
);
120 * Next xor I with our secret vector V
121 * encrypt that result to obtain our
122 * pseudo random data which we output
124 xor_vectors(ctx
->I
, ctx
->V
, tmp
, DEFAULT_BLK_SZ
);
125 hexdump("tmp stage 1: ", tmp
, DEFAULT_BLK_SZ
);
126 output
= ctx
->rand_data
;
130 * First check that we didn't produce the same
131 * random data that we did last time around through this
133 if (!memcmp(ctx
->rand_data
, ctx
->last_rand_data
,
136 "ctx %p Failed repetition check!\n",
138 ctx
->flags
|= PRNG_NEED_RESET
;
141 memcpy(ctx
->last_rand_data
, ctx
->rand_data
,
145 * Lastly xor the random data with I
146 * and encrypt that to obtain a new secret vector V
148 xor_vectors(ctx
->rand_data
, ctx
->I
, tmp
,
151 hexdump("tmp stage 2: ", tmp
, DEFAULT_BLK_SZ
);
156 /* do the encryption */
157 crypto_cipher_encrypt_one(ctx
->tfm
, output
, tmp
);
162 * Now update our DT value
164 for (i
= 0; i
< DEFAULT_BLK_SZ
; i
++) {
170 dbgprint("Returning new block for context %p\n", ctx
);
171 ctx
->rand_data_valid
= 0;
173 hexdump("Output DT: ", ctx
->DT
, DEFAULT_BLK_SZ
);
174 hexdump("Output I: ", ctx
->I
, DEFAULT_BLK_SZ
);
175 hexdump("Output V: ", ctx
->V
, DEFAULT_BLK_SZ
);
176 hexdump("New Random Data: ", ctx
->rand_data
, DEFAULT_BLK_SZ
);
181 /* Our exported functions */
182 static int get_prng_bytes(char *buf
, size_t nbytes
, struct prng_context
*ctx
)
185 unsigned char *ptr
= buf
;
186 unsigned int byte_count
= (unsigned int)nbytes
;
193 spin_lock_irqsave(&ctx
->prng_lock
, flags
);
196 if (ctx
->flags
& PRNG_NEED_RESET
)
200 * If the FIXED_SIZE flag is on, only return whole blocks of
204 if (ctx
->flags
& PRNG_FIXED_SIZE
) {
205 if (nbytes
< DEFAULT_BLK_SZ
)
207 byte_count
= DEFAULT_BLK_SZ
;
212 dbgprint(KERN_CRIT
"getting %d random bytes for context %p\n",
217 if (ctx
->rand_data_valid
== DEFAULT_BLK_SZ
) {
218 if (_get_more_prng_bytes(ctx
) < 0) {
219 memset(buf
, 0, nbytes
);
226 * Copy up to the next whole block size
228 if (byte_count
< DEFAULT_BLK_SZ
) {
229 for (; ctx
->rand_data_valid
< DEFAULT_BLK_SZ
;
230 ctx
->rand_data_valid
++) {
231 *ptr
= ctx
->rand_data
[ctx
->rand_data_valid
];
240 * Now copy whole blocks
242 for (; byte_count
>= DEFAULT_BLK_SZ
; byte_count
-= DEFAULT_BLK_SZ
) {
243 if (_get_more_prng_bytes(ctx
) < 0) {
244 memset(buf
, 0, nbytes
);
248 memcpy(ptr
, ctx
->rand_data
, DEFAULT_BLK_SZ
);
249 ctx
->rand_data_valid
+= DEFAULT_BLK_SZ
;
250 ptr
+= DEFAULT_BLK_SZ
;
254 * Now copy any extra partial data
260 spin_unlock_irqrestore(&ctx
->prng_lock
, flags
);
261 dbgprint(KERN_CRIT
"returning %d from get_prng_bytes in context %p\n",
266 static void free_prng_context(struct prng_context
*ctx
)
268 crypto_free_cipher(ctx
->tfm
);
271 static int reset_prng_context(struct prng_context
*ctx
,
272 unsigned char *key
, size_t klen
,
273 unsigned char *V
, unsigned char *DT
)
277 unsigned char *prng_key
;
279 spin_lock(&ctx
->prng_lock
);
280 ctx
->flags
|= PRNG_NEED_RESET
;
282 prng_key
= (key
!= NULL
) ? key
: (unsigned char *)DEFAULT_PRNG_KEY
;
285 klen
= DEFAULT_PRNG_KSZ
;
288 memcpy(ctx
->V
, V
, DEFAULT_BLK_SZ
);
290 memcpy(ctx
->V
, DEFAULT_V_SEED
, DEFAULT_BLK_SZ
);
293 memcpy(ctx
->DT
, DT
, DEFAULT_BLK_SZ
);
295 memset(ctx
->DT
, 0, DEFAULT_BLK_SZ
);
297 memset(ctx
->rand_data
, 0, DEFAULT_BLK_SZ
);
298 memset(ctx
->last_rand_data
, 0, DEFAULT_BLK_SZ
);
301 crypto_free_cipher(ctx
->tfm
);
303 ctx
->tfm
= crypto_alloc_cipher("aes", 0, 0);
304 if (IS_ERR(ctx
->tfm
)) {
305 dbgprint(KERN_CRIT
"Failed to alloc tfm for context %p\n",
311 ctx
->rand_data_valid
= DEFAULT_BLK_SZ
;
313 ret
= crypto_cipher_setkey(ctx
->tfm
, prng_key
, klen
);
315 dbgprint(KERN_CRIT
"PRNG: setkey() failed flags=%x\n",
316 crypto_cipher_get_flags(ctx
->tfm
));
317 crypto_free_cipher(ctx
->tfm
);
322 ctx
->flags
&= ~PRNG_NEED_RESET
;
324 spin_unlock(&ctx
->prng_lock
);
330 static int cprng_init(struct crypto_tfm
*tfm
)
332 struct prng_context
*ctx
= crypto_tfm_ctx(tfm
);
334 spin_lock_init(&ctx
->prng_lock
);
336 return reset_prng_context(ctx
, NULL
, DEFAULT_PRNG_KSZ
, NULL
, NULL
);
339 static void cprng_exit(struct crypto_tfm
*tfm
)
341 free_prng_context(crypto_tfm_ctx(tfm
));
344 static int cprng_get_random(struct crypto_rng
*tfm
, u8
*rdata
,
347 struct prng_context
*prng
= crypto_rng_ctx(tfm
);
349 return get_prng_bytes(rdata
, dlen
, prng
);
352 static int cprng_reset(struct crypto_rng
*tfm
, u8
*seed
, unsigned int slen
)
354 struct prng_context
*prng
= crypto_rng_ctx(tfm
);
355 u8
*key
= seed
+ DEFAULT_PRNG_KSZ
;
357 if (slen
< DEFAULT_PRNG_KSZ
+ DEFAULT_BLK_SZ
)
360 reset_prng_context(prng
, key
, DEFAULT_PRNG_KSZ
, seed
, NULL
);
362 if (prng
->flags
& PRNG_NEED_RESET
)
367 static struct crypto_alg rng_alg
= {
368 .cra_name
= "stdrng",
369 .cra_driver_name
= "ansi_cprng",
371 .cra_flags
= CRYPTO_ALG_TYPE_RNG
,
372 .cra_ctxsize
= sizeof(struct prng_context
),
373 .cra_type
= &crypto_rng_type
,
374 .cra_module
= THIS_MODULE
,
375 .cra_list
= LIST_HEAD_INIT(rng_alg
.cra_list
),
376 .cra_init
= cprng_init
,
377 .cra_exit
= cprng_exit
,
380 .rng_make_random
= cprng_get_random
,
381 .rng_reset
= cprng_reset
,
382 .seedsize
= DEFAULT_PRNG_KSZ
+ DEFAULT_BLK_SZ
,
388 /* Module initalization */
389 static int __init
prng_mod_init(void)
394 rng_alg
.cra_priority
+= 200;
396 ret
= crypto_register_alg(&rng_alg
);
404 static void __exit
prng_mod_fini(void)
406 crypto_unregister_alg(&rng_alg
);
410 MODULE_LICENSE("GPL");
411 MODULE_DESCRIPTION("Software Pseudo Random Number Generator");
412 MODULE_AUTHOR("Neil Horman <nhorman@tuxdriver.com>");
413 module_param(dbg
, int, 0);
414 MODULE_PARM_DESC(dbg
, "Boolean to enable debugging (0/1 == off/on)");
415 module_init(prng_mod_init
);
416 module_exit(prng_mod_fini
);
417 MODULE_ALIAS("stdrng");