2 * PRNG: Pseudo Random Number Generator
3 * Based on NIST Recommended PRNG From ANSI X9.31 Appendix A.2.4 using
6 * (C) Neil Horman <nhorman@tuxdriver.com>
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
16 #include <crypto/internal/rng.h>
17 #include <linux/err.h>
18 #include <linux/init.h>
19 #include <linux/module.h>
20 #include <linux/moduleparam.h>
21 #include <linux/string.h>
25 #define DEFAULT_PRNG_KEY "0123456789abcdef"
26 #define DEFAULT_PRNG_KSZ 16
27 #define DEFAULT_BLK_SZ 16
28 #define DEFAULT_V_SEED "zaybxcwdveuftgsh"
31 * Flags for the prng_context flags field
34 #define PRNG_FIXED_SIZE 0x1
35 #define PRNG_NEED_RESET 0x2
38 * Note: DT is our counter value
39 * I is our intermediate value
40 * V is our seed vector
41 * See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
42 * for implementation details
48 unsigned char rand_data
[DEFAULT_BLK_SZ
];
49 unsigned char last_rand_data
[DEFAULT_BLK_SZ
];
50 unsigned char DT
[DEFAULT_BLK_SZ
];
51 unsigned char I
[DEFAULT_BLK_SZ
];
52 unsigned char V
[DEFAULT_BLK_SZ
];
54 struct crypto_cipher
*tfm
;
60 static void hexdump(char *note
, unsigned char *buf
, unsigned int len
)
63 printk(KERN_CRIT
"%s", note
);
64 print_hex_dump(KERN_CONT
, "", DUMP_PREFIX_OFFSET
,
70 #define dbgprint(format, args...) do {\
72 printk(format, ##args);\
75 static void xor_vectors(unsigned char *in1
, unsigned char *in2
,
76 unsigned char *out
, unsigned int size
)
80 for (i
= 0; i
< size
; i
++)
81 out
[i
] = in1
[i
] ^ in2
[i
];
85 * Returns DEFAULT_BLK_SZ bytes of random data per call
86 * returns 0 if generation succeded, <0 if something went wrong
88 static int _get_more_prng_bytes(struct prng_context
*ctx
)
91 unsigned char tmp
[DEFAULT_BLK_SZ
];
92 unsigned char *output
= NULL
;
95 dbgprint(KERN_CRIT
"Calling _get_more_prng_bytes for context %p\n",
98 hexdump("Input DT: ", ctx
->DT
, DEFAULT_BLK_SZ
);
99 hexdump("Input I: ", ctx
->I
, DEFAULT_BLK_SZ
);
100 hexdump("Input V: ", ctx
->V
, DEFAULT_BLK_SZ
);
103 * This algorithm is a 3 stage state machine
105 for (i
= 0; i
< 3; i
++) {
110 * Start by encrypting the counter value
111 * This gives us an intermediate value I
113 memcpy(tmp
, ctx
->DT
, DEFAULT_BLK_SZ
);
115 hexdump("tmp stage 0: ", tmp
, DEFAULT_BLK_SZ
);
120 * Next xor I with our secret vector V
121 * encrypt that result to obtain our
122 * pseudo random data which we output
124 xor_vectors(ctx
->I
, ctx
->V
, tmp
, DEFAULT_BLK_SZ
);
125 hexdump("tmp stage 1: ", tmp
, DEFAULT_BLK_SZ
);
126 output
= ctx
->rand_data
;
130 * First check that we didn't produce the same
131 * random data that we did last time around through this
133 if (!memcmp(ctx
->rand_data
, ctx
->last_rand_data
,
136 panic("cprng %p Failed repetition check!\n",
141 "ctx %p Failed repetition check!\n",
144 ctx
->flags
|= PRNG_NEED_RESET
;
147 memcpy(ctx
->last_rand_data
, ctx
->rand_data
,
151 * Lastly xor the random data with I
152 * and encrypt that to obtain a new secret vector V
154 xor_vectors(ctx
->rand_data
, ctx
->I
, tmp
,
157 hexdump("tmp stage 2: ", tmp
, DEFAULT_BLK_SZ
);
162 /* do the encryption */
163 crypto_cipher_encrypt_one(ctx
->tfm
, output
, tmp
);
168 * Now update our DT value
170 for (i
= DEFAULT_BLK_SZ
- 1; i
>= 0; i
--) {
176 dbgprint("Returning new block for context %p\n", ctx
);
177 ctx
->rand_data_valid
= 0;
179 hexdump("Output DT: ", ctx
->DT
, DEFAULT_BLK_SZ
);
180 hexdump("Output I: ", ctx
->I
, DEFAULT_BLK_SZ
);
181 hexdump("Output V: ", ctx
->V
, DEFAULT_BLK_SZ
);
182 hexdump("New Random Data: ", ctx
->rand_data
, DEFAULT_BLK_SZ
);
187 /* Our exported functions */
188 static int get_prng_bytes(char *buf
, size_t nbytes
, struct prng_context
*ctx
)
190 unsigned char *ptr
= buf
;
191 unsigned int byte_count
= (unsigned int)nbytes
;
198 spin_lock_bh(&ctx
->prng_lock
);
201 if (ctx
->flags
& PRNG_NEED_RESET
)
205 * If the FIXED_SIZE flag is on, only return whole blocks of
209 if (ctx
->flags
& PRNG_FIXED_SIZE
) {
210 if (nbytes
< DEFAULT_BLK_SZ
)
212 byte_count
= DEFAULT_BLK_SZ
;
217 dbgprint(KERN_CRIT
"getting %d random bytes for context %p\n",
222 if (ctx
->rand_data_valid
== DEFAULT_BLK_SZ
) {
223 if (_get_more_prng_bytes(ctx
) < 0) {
224 memset(buf
, 0, nbytes
);
231 * Copy any data less than an entire block
233 if (byte_count
< DEFAULT_BLK_SZ
) {
235 for (; ctx
->rand_data_valid
< DEFAULT_BLK_SZ
;
236 ctx
->rand_data_valid
++) {
237 *ptr
= ctx
->rand_data
[ctx
->rand_data_valid
];
246 * Now copy whole blocks
248 for (; byte_count
>= DEFAULT_BLK_SZ
; byte_count
-= DEFAULT_BLK_SZ
) {
249 if (ctx
->rand_data_valid
== DEFAULT_BLK_SZ
) {
250 if (_get_more_prng_bytes(ctx
) < 0) {
251 memset(buf
, 0, nbytes
);
256 if (ctx
->rand_data_valid
> 0)
258 memcpy(ptr
, ctx
->rand_data
, DEFAULT_BLK_SZ
);
259 ctx
->rand_data_valid
+= DEFAULT_BLK_SZ
;
260 ptr
+= DEFAULT_BLK_SZ
;
264 * Now go back and get any remaining partial block
270 spin_unlock_bh(&ctx
->prng_lock
);
271 dbgprint(KERN_CRIT
"returning %d from get_prng_bytes in context %p\n",
276 static void free_prng_context(struct prng_context
*ctx
)
278 crypto_free_cipher(ctx
->tfm
);
281 static int reset_prng_context(struct prng_context
*ctx
,
282 unsigned char *key
, size_t klen
,
283 unsigned char *V
, unsigned char *DT
)
286 unsigned char *prng_key
;
288 spin_lock_bh(&ctx
->prng_lock
);
289 ctx
->flags
|= PRNG_NEED_RESET
;
291 prng_key
= (key
!= NULL
) ? key
: (unsigned char *)DEFAULT_PRNG_KEY
;
294 klen
= DEFAULT_PRNG_KSZ
;
297 memcpy(ctx
->V
, V
, DEFAULT_BLK_SZ
);
299 memcpy(ctx
->V
, DEFAULT_V_SEED
, DEFAULT_BLK_SZ
);
302 memcpy(ctx
->DT
, DT
, DEFAULT_BLK_SZ
);
304 memset(ctx
->DT
, 0, DEFAULT_BLK_SZ
);
306 memset(ctx
->rand_data
, 0, DEFAULT_BLK_SZ
);
307 memset(ctx
->last_rand_data
, 0, DEFAULT_BLK_SZ
);
309 ctx
->rand_data_valid
= DEFAULT_BLK_SZ
;
311 ret
= crypto_cipher_setkey(ctx
->tfm
, prng_key
, klen
);
313 dbgprint(KERN_CRIT
"PRNG: setkey() failed flags=%x\n",
314 crypto_cipher_get_flags(ctx
->tfm
));
319 ctx
->flags
&= ~PRNG_NEED_RESET
;
321 spin_unlock_bh(&ctx
->prng_lock
);
325 static int cprng_init(struct crypto_tfm
*tfm
)
327 struct prng_context
*ctx
= crypto_tfm_ctx(tfm
);
329 spin_lock_init(&ctx
->prng_lock
);
330 ctx
->tfm
= crypto_alloc_cipher("aes", 0, 0);
331 if (IS_ERR(ctx
->tfm
)) {
332 dbgprint(KERN_CRIT
"Failed to alloc tfm for context %p\n",
334 return PTR_ERR(ctx
->tfm
);
337 if (reset_prng_context(ctx
, NULL
, DEFAULT_PRNG_KSZ
, NULL
, NULL
) < 0)
341 * after allocation, we should always force the user to reset
342 * so they don't inadvertently use the insecure default values
343 * without specifying them intentially
345 ctx
->flags
|= PRNG_NEED_RESET
;
349 static void cprng_exit(struct crypto_tfm
*tfm
)
351 free_prng_context(crypto_tfm_ctx(tfm
));
354 static int cprng_get_random(struct crypto_rng
*tfm
, u8
*rdata
,
357 struct prng_context
*prng
= crypto_rng_ctx(tfm
);
359 return get_prng_bytes(rdata
, dlen
, prng
);
363 * This is the cprng_registered reset method the seed value is
364 * interpreted as the tuple { V KEY DT}
365 * V and KEY are required during reset, and DT is optional, detected
366 * as being present by testing the length of the seed
368 static int cprng_reset(struct crypto_rng
*tfm
, u8
*seed
, unsigned int slen
)
370 struct prng_context
*prng
= crypto_rng_ctx(tfm
);
371 u8
*key
= seed
+ DEFAULT_BLK_SZ
;
374 if (slen
< DEFAULT_PRNG_KSZ
+ DEFAULT_BLK_SZ
)
377 if (slen
>= (2 * DEFAULT_BLK_SZ
+ DEFAULT_PRNG_KSZ
))
378 dt
= key
+ DEFAULT_PRNG_KSZ
;
380 reset_prng_context(prng
, key
, DEFAULT_PRNG_KSZ
, seed
, dt
);
382 if (prng
->flags
& PRNG_NEED_RESET
)
387 static struct crypto_alg rng_alg
= {
388 .cra_name
= "stdrng",
389 .cra_driver_name
= "ansi_cprng",
391 .cra_flags
= CRYPTO_ALG_TYPE_RNG
,
392 .cra_ctxsize
= sizeof(struct prng_context
),
393 .cra_type
= &crypto_rng_type
,
394 .cra_module
= THIS_MODULE
,
395 .cra_list
= LIST_HEAD_INIT(rng_alg
.cra_list
),
396 .cra_init
= cprng_init
,
397 .cra_exit
= cprng_exit
,
400 .rng_make_random
= cprng_get_random
,
401 .rng_reset
= cprng_reset
,
402 .seedsize
= DEFAULT_PRNG_KSZ
+ 2*DEFAULT_BLK_SZ
,
408 /* Module initalization */
409 static int __init
prng_mod_init(void)
412 rng_alg
.cra_priority
+= 200;
414 return crypto_register_alg(&rng_alg
);
417 static void __exit
prng_mod_fini(void)
419 crypto_unregister_alg(&rng_alg
);
423 MODULE_LICENSE("GPL");
424 MODULE_DESCRIPTION("Software Pseudo Random Number Generator");
425 MODULE_AUTHOR("Neil Horman <nhorman@tuxdriver.com>");
426 module_param(dbg
, int, 0);
427 MODULE_PARM_DESC(dbg
, "Boolean to enable debugging (0/1 == off/on)");
428 module_init(prng_mod_init
);
429 module_exit(prng_mod_fini
);
430 MODULE_ALIAS("stdrng");