[linux.git] / crypto / algif_rng.c

/*
 * algif_rng: User-space interface for random number generators
 *
 * This file provides the user-space API for random number generators.
 *
 * Copyright (C) 2014, Stephan Mueller <[email protected]>
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, and the entire permission notice in its entirety,
 *    including the disclaimer of warranties.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior
 *    written permission.
 *
 * ALTERNATIVELY, this product may be distributed under the terms of
 * the GNU General Public License, in which case the provisions of the GPL2
 * are required INSTEAD OF the above restrictions.  (This clause is
 * necessary due to a potential bad interaction between the GPL and
 * the restrictions contained in a BSD-style copyright.)
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
 * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
 * DAMAGE.
 */

#include <linux/capability.h>
#include <linux/module.h>
#include <crypto/rng.h>
#include <linux/random.h>
#include <crypto/if_alg.h>
#include <linux/net.h>
#include <net/sock.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Stephan Mueller <[email protected]>");
MODULE_DESCRIPTION("User-space interface for random number generators");

struct rng_ctx {
#define MAXSIZE 128
	unsigned int len;
	struct crypto_rng *drng;
	u8 *addtl;
	size_t addtl_len;
};

struct rng_parent_ctx {
	struct crypto_rng *drng;
	u8 *entropy;
};

static void rng_reset_addtl(struct rng_ctx *ctx)
{
	kfree_sensitive(ctx->addtl);
	ctx->addtl = NULL;
	ctx->addtl_len = 0;
}

static int _rng_recvmsg(struct crypto_rng *drng, struct msghdr *msg, size_t len,
			u8 *addtl, size_t addtl_len)
{
	int err = 0;
	int genlen = 0;
	u8 result[MAXSIZE];

	if (len == 0)
		return 0;
	if (len > MAXSIZE)
		len = MAXSIZE;

	/*
	 * although not strictly needed, this is a precaution against coding
	 * errors
	 */
	memset(result, 0, len);

	/*
	 * The enforcement of a proper seeding of an RNG is done within an
	 * RNG implementation. Some RNGs (DRBG, krng) do not need specific
	 * seeding as they automatically seed. The X9.31 DRNG will return
	 * an error if it was not seeded properly.
	 */
	genlen = crypto_rng_generate(drng, addtl, addtl_len, result, len);
	if (genlen < 0)
		return genlen;

	err = memcpy_to_msg(msg, result, len);
	memzero_explicit(result, len);

	return err ? err : len;
}

static int rng_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
		       int flags)
{
	struct sock *sk = sock->sk;
	struct alg_sock *ask = alg_sk(sk);
	struct rng_ctx *ctx = ask->private;

	return _rng_recvmsg(ctx->drng, msg, len, NULL, 0);
}

static int rng_test_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
			    int flags)
{
	struct sock *sk = sock->sk;
	struct alg_sock *ask = alg_sk(sk);
	struct rng_ctx *ctx = ask->private;
	int ret;

	lock_sock(sock->sk);
	ret = _rng_recvmsg(ctx->drng, msg, len, ctx->addtl, ctx->addtl_len);
	rng_reset_addtl(ctx);
	release_sock(sock->sk);

	return ret;
}

static int rng_test_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
{
	int err;
	struct alg_sock *ask = alg_sk(sock->sk);
	struct rng_ctx *ctx = ask->private;

	lock_sock(sock->sk);
	if (len > MAXSIZE) {
		err = -EMSGSIZE;
		goto unlock;
	}

	rng_reset_addtl(ctx);
	ctx->addtl = kmalloc(len, GFP_KERNEL);
	if (!ctx->addtl) {
		err = -ENOMEM;
		goto unlock;
	}

	err = memcpy_from_msg(ctx->addtl, msg, len);
	if (err) {
		rng_reset_addtl(ctx);
		goto unlock;
	}
	ctx->addtl_len = len;

unlock:
	release_sock(sock->sk);
	return err ? err : len;
}

static struct proto_ops algif_rng_ops = {
	.family		=	PF_ALG,

	.connect	=	sock_no_connect,
	.socketpair	=	sock_no_socketpair,
	.getname	=	sock_no_getname,
	.ioctl		=	sock_no_ioctl,
	.listen		=	sock_no_listen,
	.shutdown	=	sock_no_shutdown,
	.mmap		=	sock_no_mmap,
	.bind		=	sock_no_bind,
	.accept		=	sock_no_accept,
	.sendmsg	=	sock_no_sendmsg,

	.release	=	af_alg_release,
	.recvmsg	=	rng_recvmsg,
};

static struct proto_ops __maybe_unused algif_rng_test_ops = {
	.family		=	PF_ALG,

	.connect	=	sock_no_connect,
	.socketpair	=	sock_no_socketpair,
	.getname	=	sock_no_getname,
	.ioctl		=	sock_no_ioctl,
	.listen		=	sock_no_listen,
	.shutdown	=	sock_no_shutdown,
	.mmap		=	sock_no_mmap,
	.bind		=	sock_no_bind,
	.accept		=	sock_no_accept,

	.release	=	af_alg_release,
	.recvmsg	=	rng_test_recvmsg,
	.sendmsg	=	rng_test_sendmsg,
};

static void *rng_bind(const char *name, u32 type, u32 mask)
{
	struct rng_parent_ctx *pctx;
	struct crypto_rng *rng;

	pctx = kzalloc(sizeof(*pctx), GFP_KERNEL);
	if (!pctx)
		return ERR_PTR(-ENOMEM);

	rng = crypto_alloc_rng(name, type, mask);
	if (IS_ERR(rng)) {
		kfree(pctx);
		return ERR_CAST(rng);
	}

	pctx->drng = rng;
	return pctx;
}

static void rng_release(void *private)
{
	struct rng_parent_ctx *pctx = private;

	if (unlikely(!pctx))
		return;
	crypto_free_rng(pctx->drng);
	kfree_sensitive(pctx->entropy);
	kfree_sensitive(pctx);
}

static void rng_sock_destruct(struct sock *sk)
{
	struct alg_sock *ask = alg_sk(sk);
	struct rng_ctx *ctx = ask->private;

	rng_reset_addtl(ctx);
	sock_kfree_s(sk, ctx, ctx->len);
	af_alg_release_parent(sk);
}

static int rng_accept_parent(void *private, struct sock *sk)
{
	struct rng_ctx *ctx;
	struct rng_parent_ctx *pctx = private;
	struct alg_sock *ask = alg_sk(sk);
	unsigned int len = sizeof(*ctx);

	ctx = sock_kmalloc(sk, len, GFP_KERNEL);
	if (!ctx)
		return -ENOMEM;

	ctx->len = len;
	ctx->addtl = NULL;
	ctx->addtl_len = 0;

	/*
	 * No seeding done at that point -- if multiple accepts are
	 * done on one RNG instance, each resulting FD points to the same
	 * state of the RNG.
	 */

	ctx->drng = pctx->drng;
	ask->private = ctx;
	sk->sk_destruct = rng_sock_destruct;

	/*
	 * Non NULL pctx->entropy means that CAVP test has been initiated on
	 * this socket, replace proto_ops algif_rng_ops with algif_rng_test_ops.
	 */
	if (IS_ENABLED(CONFIG_CRYPTO_USER_API_RNG_CAVP) && pctx->entropy)
		sk->sk_socket->ops = &algif_rng_test_ops;

	return 0;
}

static int rng_setkey(void *private, const u8 *seed, unsigned int seedlen)
{
	struct rng_parent_ctx *pctx = private;
	/*
	 * Check whether seedlen is of sufficient size is done in RNG
	 * implementations.
	 */
	return crypto_rng_reset(pctx->drng, seed, seedlen);
}

static int __maybe_unused rng_setentropy(void *private, sockptr_t entropy,
					 unsigned int len)
{
	struct rng_parent_ctx *pctx = private;
	u8 *kentropy = NULL;

	if (!capable(CAP_SYS_ADMIN))
		return -EACCES;

	if (pctx->entropy)
		return -EINVAL;

	if (len > MAXSIZE)
		return -EMSGSIZE;

	if (len) {
		kentropy = memdup_sockptr(entropy, len);
		if (IS_ERR(kentropy))
			return PTR_ERR(kentropy);
	}

	crypto_rng_alg(pctx->drng)->set_ent(pctx->drng, kentropy, len);
	/*
	 * Since rng doesn't perform any memory management for the entropy
	 * buffer, save kentropy pointer to pctx now to free it after use.
	 */
	pctx->entropy = kentropy;
	return 0;
}

static const struct af_alg_type algif_type_rng = {
	.bind		=	rng_bind,
	.release	=	rng_release,
	.accept		=	rng_accept_parent,
	.setkey		=	rng_setkey,
#ifdef CONFIG_CRYPTO_USER_API_RNG_CAVP
	.setentropy	=	rng_setentropy,
#endif
	.ops		=	&algif_rng_ops,
	.name		=	"rng",
	.owner		=	THIS_MODULE
};

static int __init rng_init(void)
{
	return af_alg_register_type(&algif_type_rng);
}

static void __exit rng_exit(void)
{
	int err = af_alg_unregister_type(&algif_type_rng);
	BUG_ON(err);
}

module_init(rng_init);
module_exit(rng_exit);
Commit	Line	Data
5afdfd22 SM	1	/*
	2	* algif_rng: User-space interface for random number generators
	3	*
	4	* This file provides the user-space API for random number generators.
	5	*
	6	* Copyright (C) 2014, Stephan Mueller <[email protected]>
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	* 1. Redistributions of source code must retain the above copyright
	12	* notice, and the entire permission notice in its entirety,
	13	* including the disclaimer of warranties.
	14	* 2. Redistributions in binary form must reproduce the above copyright
	15	* notice, this list of conditions and the following disclaimer in the
	16	* documentation and/or other materials provided with the distribution.
	17	* 3. The name of the author may not be used to endorse or promote
	18	* products derived from this software without specific prior
	19	* written permission.
	20	*
	21	* ALTERNATIVELY, this product may be distributed under the terms of
	22	* the GNU General Public License, in which case the provisions of the GPL2
	23	* are required INSTEAD OF the above restrictions. (This clause is
	24	* necessary due to a potential bad interaction between the GPL and
	25	* the restrictions contained in a BSD-style copyright.)
	26	*
	27	* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
	28	* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	29	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
	30	* WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
	31	* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	32	* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
	33	* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
	34	* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
	35	* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	36	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
	37	* USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
	38	* DAMAGE.
	39	*/
	40
77ebdabe	41	#include <linux/capability.h>
5afdfd22 SM	42	#include <linux/module.h>
	43	#include <crypto/rng.h>
	44	#include <linux/random.h>
	45	#include <crypto/if_alg.h>
	46	#include <linux/net.h>
	47	#include <net/sock.h>
	48
	49	MODULE_LICENSE("GPL");
	50	MODULE_AUTHOR("Stephan Mueller <[email protected]>");
	51	MODULE_DESCRIPTION("User-space interface for random number generators");
	52
	53	struct rng_ctx {
	54	#define MAXSIZE 128
	55	unsigned int len;
	56	struct crypto_rng *drng;
77ebdabe EP	57	u8 *addtl;
77ebdabe EP	58	size_t addtl_len;
5afdfd22 SM	59	};
5afdfd22 SM	60
77ebdabe EP	61	struct rng_parent_ctx {
	62	struct crypto_rng *drng;
	63	u8 *entropy;
	64	};
	65
	66	static void rng_reset_addtl(struct rng_ctx *ctx)
5afdfd22	67	{
77ebdabe EP	68	kfree_sensitive(ctx->addtl);
	69	ctx->addtl = NULL;
	70	ctx->addtl_len = 0;
	71	}
	72
	73	static int _rng_recvmsg(struct crypto_rng drng, struct msghdr msg, size_t len,
	74	u8 *addtl, size_t addtl_len)
	75	{
	76	int err = 0;
5afdfd22 SM	77	int genlen = 0;
	78	u8 result[MAXSIZE];
	79
	80	if (len == 0)
	81	return 0;
	82	if (len > MAXSIZE)
	83	len = MAXSIZE;
	84
	85	/*
	86	* although not strictly needed, this is a precaution against coding
	87	* errors
	88	*/
	89	memset(result, 0, len);
	90
	91	/*
	92	* The enforcement of a proper seeding of an RNG is done within an
	93	* RNG implementation. Some RNGs (DRBG, krng) do not need specific
	94	* seeding as they automatically seed. The X9.31 DRNG will return
	95	* an error if it was not seeded properly.
	96	*/
77ebdabe	97	genlen = crypto_rng_generate(drng, addtl, addtl_len, result, len);
5afdfd22 SM	98	if (genlen < 0)
	99	return genlen;
	100
	101	err = memcpy_to_msg(msg, result, len);
2ef4d5c4	102	memzero_explicit(result, len);
5afdfd22 SM	103
	104	return err ? err : len;
	105	}
	106
77ebdabe EP	107	static int rng_recvmsg(struct socket sock, struct msghdr msg, size_t len,
	108	int flags)
	109	{
	110	struct sock *sk = sock->sk;
	111	struct alg_sock *ask = alg_sk(sk);
	112	struct rng_ctx *ctx = ask->private;
	113
	114	return _rng_recvmsg(ctx->drng, msg, len, NULL, 0);
	115	}
	116
	117	static int rng_test_recvmsg(struct socket sock, struct msghdr msg, size_t len,
	118	int flags)
	119	{
	120	struct sock *sk = sock->sk;
	121	struct alg_sock *ask = alg_sk(sk);
	122	struct rng_ctx *ctx = ask->private;
	123	int ret;
	124
	125	lock_sock(sock->sk);
	126	ret = _rng_recvmsg(ctx->drng, msg, len, ctx->addtl, ctx->addtl_len);
	127	rng_reset_addtl(ctx);
	128	release_sock(sock->sk);
	129
	130	return ret;
	131	}
	132
	133	static int rng_test_sendmsg(struct socket sock, struct msghdr msg, size_t len)
	134	{
	135	int err;
	136	struct alg_sock *ask = alg_sk(sock->sk);
	137	struct rng_ctx *ctx = ask->private;
	138
	139	lock_sock(sock->sk);
	140	if (len > MAXSIZE) {
	141	err = -EMSGSIZE;
	142	goto unlock;
	143	}
	144
	145	rng_reset_addtl(ctx);
	146	ctx->addtl = kmalloc(len, GFP_KERNEL);
	147	if (!ctx->addtl) {
	148	err = -ENOMEM;
	149	goto unlock;
	150	}
	151
	152	err = memcpy_from_msg(ctx->addtl, msg, len);
	153	if (err) {
	154	rng_reset_addtl(ctx);
	155	goto unlock;
	156	}
	157	ctx->addtl_len = len;
	158
	159	unlock:
	160	release_sock(sock->sk);
	161	return err ? err : len;
	162	}
	163
5afdfd22 SM	164	static struct proto_ops algif_rng_ops = {
	165	.family = PF_ALG,
	166
	167	.connect = sock_no_connect,
	168	.socketpair = sock_no_socketpair,
	169	.getname = sock_no_getname,
	170	.ioctl = sock_no_ioctl,
	171	.listen = sock_no_listen,
	172	.shutdown = sock_no_shutdown,
5afdfd22 SM	173	.mmap = sock_no_mmap,
	174	.bind = sock_no_bind,
	175	.accept = sock_no_accept,
5afdfd22	176	.sendmsg = sock_no_sendmsg,
5afdfd22 SM	177
	178	.release = af_alg_release,
	179	.recvmsg = rng_recvmsg,
	180	};
	181
77ebdabe EP	182	static struct proto_ops __maybe_unused algif_rng_test_ops = {
	183	.family = PF_ALG,
	184
	185	.connect = sock_no_connect,
	186	.socketpair = sock_no_socketpair,
	187	.getname = sock_no_getname,
	188	.ioctl = sock_no_ioctl,
	189	.listen = sock_no_listen,
	190	.shutdown = sock_no_shutdown,
	191	.mmap = sock_no_mmap,
	192	.bind = sock_no_bind,
	193	.accept = sock_no_accept,
77ebdabe EP	194
	195	.release = af_alg_release,
	196	.recvmsg = rng_test_recvmsg,
	197	.sendmsg = rng_test_sendmsg,
	198	};
	199
5afdfd22 SM	200	static void rng_bind(const char name, u32 type, u32 mask)
5afdfd22 SM	201	{
77ebdabe EP	202	struct rng_parent_ctx *pctx;
	203	struct crypto_rng *rng;
	204
	205	pctx = kzalloc(sizeof(*pctx), GFP_KERNEL);
	206	if (!pctx)
	207	return ERR_PTR(-ENOMEM);
	208
	209	rng = crypto_alloc_rng(name, type, mask);
	210	if (IS_ERR(rng)) {
	211	kfree(pctx);
	212	return ERR_CAST(rng);
	213	}
	214
	215	pctx->drng = rng;
	216	return pctx;
5afdfd22 SM	217	}
	218
	219	static void rng_release(void *private)
	220	{
77ebdabe EP	221	struct rng_parent_ctx *pctx = private;
	222
	223	if (unlikely(!pctx))
	224	return;
	225	crypto_free_rng(pctx->drng);
	226	kfree_sensitive(pctx->entropy);
	227	kfree_sensitive(pctx);
5afdfd22 SM	228	}
	229
	230	static void rng_sock_destruct(struct sock *sk)
	231	{
	232	struct alg_sock *ask = alg_sk(sk);
	233	struct rng_ctx *ctx = ask->private;
	234
77ebdabe	235	rng_reset_addtl(ctx);
5afdfd22 SM	236	sock_kfree_s(sk, ctx, ctx->len);
	237	af_alg_release_parent(sk);
	238	}
	239
	240	static int rng_accept_parent(void private, struct sock sk)
	241	{
	242	struct rng_ctx *ctx;
77ebdabe	243	struct rng_parent_ctx *pctx = private;
5afdfd22 SM	244	struct alg_sock *ask = alg_sk(sk);
	245	unsigned int len = sizeof(*ctx);
	246
	247	ctx = sock_kmalloc(sk, len, GFP_KERNEL);
	248	if (!ctx)
	249	return -ENOMEM;
	250
	251	ctx->len = len;
77ebdabe EP	252	ctx->addtl = NULL;
77ebdabe EP	253	ctx->addtl_len = 0;
5afdfd22 SM	254
	255	/*
	256	* No seeding done at that point -- if multiple accepts are
	257	* done on one RNG instance, each resulting FD points to the same
	258	* state of the RNG.
	259	*/
	260
77ebdabe	261	ctx->drng = pctx->drng;
5afdfd22 SM	262	ask->private = ctx;
	263	sk->sk_destruct = rng_sock_destruct;
	264
77ebdabe EP	265	/*
	266	* Non NULL pctx->entropy means that CAVP test has been initiated on
	267	* this socket, replace proto_ops algif_rng_ops with algif_rng_test_ops.
	268	*/
	269	if (IS_ENABLED(CONFIG_CRYPTO_USER_API_RNG_CAVP) && pctx->entropy)
	270	sk->sk_socket->ops = &algif_rng_test_ops;
	271
5afdfd22 SM	272	return 0;
	273	}
	274
	275	static int rng_setkey(void private, const u8 seed, unsigned int seedlen)
	276	{
77ebdabe	277	struct rng_parent_ctx *pctx = private;
5afdfd22 SM	278	/*
	279	* Check whether seedlen is of sufficient size is done in RNG
	280	* implementations.
	281	*/
77ebdabe EP	282	return crypto_rng_reset(pctx->drng, seed, seedlen);
	283	}
	284
	285	static int __maybe_unused rng_setentropy(void *private, sockptr_t entropy,
	286	unsigned int len)
	287	{
	288	struct rng_parent_ctx *pctx = private;
	289	u8 *kentropy = NULL;
	290
	291	if (!capable(CAP_SYS_ADMIN))
	292	return -EACCES;
	293
	294	if (pctx->entropy)
	295	return -EINVAL;
	296
	297	if (len > MAXSIZE)
	298	return -EMSGSIZE;
	299
	300	if (len) {
	301	kentropy = memdup_sockptr(entropy, len);
	302	if (IS_ERR(kentropy))
	303	return PTR_ERR(kentropy);
	304	}
	305
	306	crypto_rng_alg(pctx->drng)->set_ent(pctx->drng, kentropy, len);
	307	/*
	308	* Since rng doesn't perform any memory management for the entropy
	309	* buffer, save kentropy pointer to pctx now to free it after use.
	310	*/
	311	pctx->entropy = kentropy;
	312	return 0;
5afdfd22 SM	313	}
	314
	315	static const struct af_alg_type algif_type_rng = {
	316	.bind = rng_bind,
	317	.release = rng_release,
	318	.accept = rng_accept_parent,
	319	.setkey = rng_setkey,
77ebdabe EP	320	#ifdef CONFIG_CRYPTO_USER_API_RNG_CAVP
	321	.setentropy = rng_setentropy,
	322	#endif
5afdfd22 SM	323	.ops = &algif_rng_ops,
	324	.name = "rng",
	325	.owner = THIS_MODULE
	326	};
	327
	328	static int __init rng_init(void)
	329	{
	330	return af_alg_register_type(&algif_type_rng);
	331	}
	332
598de369	333	static void __exit rng_exit(void)
5afdfd22 SM	334	{
	335	int err = af_alg_unregister_type(&algif_type_rng);
	336	BUG_ON(err);
	337	}
	338
	339	module_init(rng_init);
	340	module_exit(rng_exit);