|
@@ -0,0 +1,416 @@
|
|
1
|
+/*
|
|
2
|
+ * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
|
|
3
|
+ *
|
|
4
|
+ * This program is free software; you can redistribute it and/or
|
|
5
|
+ * modify it under the terms of the GNU General Public License as
|
|
6
|
+ * published by the Free Software Foundation; either version 2 of the
|
|
7
|
+ * License, or any later version.
|
|
8
|
+ *
|
|
9
|
+ * This program is distributed in the hope that it will be useful, but
|
|
10
|
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
11
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
12
|
+ * General Public License for more details.
|
|
13
|
+ *
|
|
14
|
+ * You should have received a copy of the GNU General Public License
|
|
15
|
+ * along with this program; if not, write to the Free Software
|
|
16
|
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
17
|
+ */
|
|
18
|
+
|
|
19
|
+FILE_LICENCE ( GPL2_OR_LATER );
|
|
20
|
+
|
|
21
|
+/** @file
|
|
22
|
+ *
|
|
23
|
+ * DRBG mechanism
|
|
24
|
+ *
|
|
25
|
+ * This mechanism is designed to comply with ANS X9.82 Part 3-2007
|
|
26
|
+ * Section 9. This standard is not freely available, but most of the
|
|
27
|
+ * text appears to be shared with NIST SP 800-90, which can be
|
|
28
|
+ * downloaded from
|
|
29
|
+ *
|
|
30
|
+ * http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
|
|
31
|
+ *
|
|
32
|
+ * Where possible, references are given to both documents. In the
|
|
33
|
+ * case of any disagreement, ANS X9.82 takes priority over NIST SP
|
|
34
|
+ * 800-90. (In particular, note that some algorithms that are
|
|
35
|
+ * Approved by NIST SP 800-90 are not Approved by ANS X9.82.)
|
|
36
|
+ */
|
|
37
|
+
|
|
38
|
+#include <stdint.h>
|
|
39
|
+#include <errno.h>
|
|
40
|
+#include <assert.h>
|
|
41
|
+#include <ipxe/entropy.h>
|
|
42
|
+#include <ipxe/drbg.h>
|
|
43
|
+
|
|
44
|
+/**
|
|
45
|
+ * Instantiate DRBG
|
|
46
|
+ *
|
|
47
|
+ * @v state Algorithm state to be initialised
|
|
48
|
+ * @v personal Personalisation string
|
|
49
|
+ * @v personal_len Length of personalisation string
|
|
50
|
+ * @ret rc Return status code
|
|
51
|
+ *
|
|
52
|
+ * This is the Instantiate_function defined in ANS X9.82 Part 3-2007
|
|
53
|
+ * Section 9.2 (NIST SP 800-90 Section 9.1).
|
|
54
|
+ *
|
|
55
|
+ * Only a single security strength is supported, and prediction
|
|
56
|
+ * resistance is always enabled. The nonce is accounted for by
|
|
57
|
+ * increasing the entropy input, as per ANS X9.82 Part 3-2007 Section
|
|
58
|
+ * 8.4.2 (NIST SP 800-90 Section 8.6.7).
|
|
59
|
+ */
|
|
60
|
+int drbg_instantiate ( struct drbg_state *state, const void *personal,
|
|
61
|
+ size_t personal_len ) {
|
|
62
|
+ unsigned int entropy_bits = ( ( 3 * DRBG_SECURITY_STRENGTH + 1 ) / 2 );
|
|
63
|
+ size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;
|
|
64
|
+ size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;
|
|
65
|
+ uint8_t data[ entropy_bufsize ( entropy_bits, min_len, max_len ) ];
|
|
66
|
+ int len;
|
|
67
|
+ int rc;
|
|
68
|
+
|
|
69
|
+ DBGC ( state, "DRBG %p instantiate\n", state );
|
|
70
|
+
|
|
71
|
+ /* Sanity checks */
|
|
72
|
+ assert ( state != NULL );
|
|
73
|
+
|
|
74
|
+ /* 1. If requested_instantiation_security_strength >
|
|
75
|
+ * highest_supported_security_strength, then return an
|
|
76
|
+ * ERROR_FLAG
|
|
77
|
+ */
|
|
78
|
+ if ( DRBG_SECURITY_STRENGTH > DRBG_MAX_SECURITY_STRENGTH ) {
|
|
79
|
+ DBGC ( state, "DRBG %p cannot support security strength %d\n",
|
|
80
|
+ state, DRBG_SECURITY_STRENGTH );
|
|
81
|
+ return -ENOTSUP;
|
|
82
|
+ }
|
|
83
|
+
|
|
84
|
+ /* 2. If prediction_resistance_flag is set, and prediction
|
|
85
|
+ * resistance is not supported, then return an ERROR_FLAG
|
|
86
|
+ *
|
|
87
|
+ * (Nothing to do since prediction resistance is always
|
|
88
|
+ * supported.)
|
|
89
|
+ */
|
|
90
|
+
|
|
91
|
+ /* 3. If the length of the personalization_string >
|
|
92
|
+ * max_personalization_string_length, return an ERROR_FLAG
|
|
93
|
+ */
|
|
94
|
+ if ( personal_len > DRBG_MAX_PERSONAL_LEN_BYTES ) {
|
|
95
|
+ DBGC ( state, "DRBG %p personalisation string too long (%zd "
|
|
96
|
+ "bytes)\n", state, personal_len );
|
|
97
|
+ return -ERANGE;
|
|
98
|
+ }
|
|
99
|
+
|
|
100
|
+ /* 4. Set security_strength to the nearest security strength
|
|
101
|
+ * greater than or equal to
|
|
102
|
+ * requested_instantiation_security_strength.
|
|
103
|
+ *
|
|
104
|
+ * (Nothing to do since we support only a single security
|
|
105
|
+ * strength.)
|
|
106
|
+ */
|
|
107
|
+
|
|
108
|
+ /* 5. Using the security_strength, select appropriate DRBG
|
|
109
|
+ * mechanism parameters.
|
|
110
|
+ *
|
|
111
|
+ * (Nothing to do since we support only a single security
|
|
112
|
+ * strength.)
|
|
113
|
+ */
|
|
114
|
+
|
|
115
|
+ /* 6. ( status, entropy_input ) = Get_entropy_input (
|
|
116
|
+ * security_strength, min_length, max_length,
|
|
117
|
+ * prediction_resistance_request )
|
|
118
|
+ * 7. If an ERROR is returned in step 6, return a
|
|
119
|
+ * CATASTROPHIC_ERROR_FLAG.
|
|
120
|
+ * 8. Obtain a nonce.
|
|
121
|
+ */
|
|
122
|
+ len = get_entropy_input ( entropy_bits, data, min_len,
|
|
123
|
+ sizeof ( data ) );
|
|
124
|
+ if ( len < 0 ) {
|
|
125
|
+ rc = len;
|
|
126
|
+ DBGC ( state, "DRBG %p could not get entropy input: %s\n",
|
|
127
|
+ state, strerror ( rc ) );
|
|
128
|
+ return rc;
|
|
129
|
+ }
|
|
130
|
+ assert ( len >= min_len );
|
|
131
|
+ assert ( len <= sizeof ( data ) );
|
|
132
|
+
|
|
133
|
+ /* 9. initial_working_state = Instantiate_algorithm (
|
|
134
|
+ * entropy_input, nonce, personalization_string ).
|
|
135
|
+ */
|
|
136
|
+ drbg_instantiate_algorithm ( state, data, len, personal, personal_len );
|
|
137
|
+
|
|
138
|
+ /* 10. Get a state_handle for a currently empty state. If an
|
|
139
|
+ * empty internal state cannot be found, return an
|
|
140
|
+ * ERROR_FLAG.
|
|
141
|
+ * 11. Set the internal state indicated by state_handle to
|
|
142
|
+ * the initial values for the internal state (i.e. set
|
|
143
|
+ * the working_state to the values returned as
|
|
144
|
+ * initial_working_state in step 9 and any other values
|
|
145
|
+ * required for the working_state, and set the
|
|
146
|
+ * administrative information to the appropriate values.
|
|
147
|
+ *
|
|
148
|
+ * (Almost nothing to do since the memory to hold the state
|
|
149
|
+ * was passed in by the caller and has already been updated
|
|
150
|
+ * in-situ.)
|
|
151
|
+ */
|
|
152
|
+ state->reseed_required = 0;
|
|
153
|
+
|
|
154
|
+ /* 12. Return SUCCESS and state_handle. */
|
|
155
|
+ return 0;
|
|
156
|
+}
|
|
157
|
+
|
|
158
|
+/**
|
|
159
|
+ * Reseed DRBG
|
|
160
|
+ *
|
|
161
|
+ * @v state Algorithm state
|
|
162
|
+ * @v additional Additional input
|
|
163
|
+ * @v additional_len Length of additional input
|
|
164
|
+ * @ret rc Return status code
|
|
165
|
+ *
|
|
166
|
+ * This is the Reseed_function defined in ANS X9.82 Part 3-2007
|
|
167
|
+ * Section 9.3 (NIST SP 800-90 Section 9.2).
|
|
168
|
+ *
|
|
169
|
+ * Prediction resistance is always enabled.
|
|
170
|
+ */
|
|
171
|
+int drbg_reseed ( struct drbg_state *state, const void *additional,
|
|
172
|
+ size_t additional_len ) {
|
|
173
|
+ unsigned int entropy_bits = DRBG_SECURITY_STRENGTH;
|
|
174
|
+ size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;
|
|
175
|
+ size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;
|
|
176
|
+ uint8_t data[ entropy_bufsize ( entropy_bits, min_len, max_len ) ];
|
|
177
|
+ int len;
|
|
178
|
+ int rc;
|
|
179
|
+
|
|
180
|
+ DBGC ( state, "DRBG %p reseed\n", state );
|
|
181
|
+
|
|
182
|
+ /* Sanity checks */
|
|
183
|
+ assert ( state != NULL );
|
|
184
|
+
|
|
185
|
+ /* 1. Using state_handle, obtain the current internal state.
|
|
186
|
+ * If state_handle indicates an invalid or empty internal
|
|
187
|
+ * state, return an ERROR_FLAG.
|
|
188
|
+ *
|
|
189
|
+ * (Nothing to do since the memory holding the internal state
|
|
190
|
+ * was passed in by the caller.)
|
|
191
|
+ */
|
|
192
|
+
|
|
193
|
+ /* 2. If prediction_resistance_request is set, and
|
|
194
|
+ * prediction_resistance_flag is not set, then return an
|
|
195
|
+ * ERROR_FLAG.
|
|
196
|
+ *
|
|
197
|
+ * (Nothing to do since prediction resistance is always
|
|
198
|
+ * supported.)
|
|
199
|
+ */
|
|
200
|
+
|
|
201
|
+ /* 3. If the length of the additional_input >
|
|
202
|
+ * max_additional_input_length, return an ERROR_FLAG.
|
|
203
|
+ */
|
|
204
|
+ if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {
|
|
205
|
+ DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",
|
|
206
|
+ state, additional_len );
|
|
207
|
+ return -ERANGE;
|
|
208
|
+ }
|
|
209
|
+
|
|
210
|
+ /* 4. ( status, entropy_input ) = Get_entropy_input (
|
|
211
|
+ * security_strength, min_length, max_length,
|
|
212
|
+ * prediction_resistance_request ).
|
|
213
|
+ *
|
|
214
|
+ * 5. If an ERROR is returned in step 4, return a
|
|
215
|
+ * CATASTROPHIC_ERROR_FLAG.
|
|
216
|
+ */
|
|
217
|
+ len = get_entropy_input ( entropy_bits, data, min_len,
|
|
218
|
+ sizeof ( data ) );
|
|
219
|
+ if ( len < 0 ) {
|
|
220
|
+ rc = len;
|
|
221
|
+ DBGC ( state, "DRBG %p could not get entropy input: %s\n",
|
|
222
|
+ state, strerror ( rc ) );
|
|
223
|
+ return rc;
|
|
224
|
+ }
|
|
225
|
+
|
|
226
|
+ /* 6. new_working_state = Reseed_algorithm ( working_state,
|
|
227
|
+ * entropy_input, additional_input ).
|
|
228
|
+ */
|
|
229
|
+ drbg_reseed_algorithm ( state, data, len, additional, additional_len );
|
|
230
|
+
|
|
231
|
+ /* 7. Replace the working_state in the internal state
|
|
232
|
+ * indicated by state_handle with the values of
|
|
233
|
+ * new_working_state obtained in step 6.
|
|
234
|
+ *
|
|
235
|
+ * (Nothing to do since the state has already been updated in-situ.)
|
|
236
|
+ */
|
|
237
|
+
|
|
238
|
+ /* 8. Return SUCCESS. */
|
|
239
|
+ return 0;
|
|
240
|
+}
|
|
241
|
+
|
|
242
|
+/**
|
|
243
|
+ * Generate pseudorandom bits using DRBG
|
|
244
|
+ *
|
|
245
|
+ * @v state Algorithm state
|
|
246
|
+ * @v additional Additional input
|
|
247
|
+ * @v additional_len Length of additional input
|
|
248
|
+ * @v prediction_resist Prediction resistance is required
|
|
249
|
+ * @v data Output buffer
|
|
250
|
+ * @v len Length of output buffer
|
|
251
|
+ * @ret rc Return status code
|
|
252
|
+ *
|
|
253
|
+ * This is the Generate_function defined in ANS X9.82 Part 3-2007
|
|
254
|
+ * Section 9.4 (NIST SP 800-90 Section 9.3).
|
|
255
|
+ *
|
|
256
|
+ * Requests must be for an integral number of bytes. Only a single
|
|
257
|
+ * security strength is supported. Prediction resistance is supported
|
|
258
|
+ * if requested.
|
|
259
|
+ */
|
|
260
|
+int drbg_generate ( struct drbg_state *state, const void *additional,
|
|
261
|
+ size_t additional_len, int prediction_resist,
|
|
262
|
+ void *data, size_t len ) {
|
|
263
|
+ int rc;
|
|
264
|
+
|
|
265
|
+ DBGC ( state, "DRBG %p generate\n", state );
|
|
266
|
+
|
|
267
|
+ /* Sanity checks */
|
|
268
|
+ assert ( state != NULL );
|
|
269
|
+ assert ( data != NULL );
|
|
270
|
+
|
|
271
|
+ /* 1. Using state_handle, obtain the current internal state
|
|
272
|
+ * for the instantiation. If state_handle indicates an
|
|
273
|
+ * invalid or empty internal state, then return an ERROR_FLAG.
|
|
274
|
+ *
|
|
275
|
+ * (Nothing to do since the memory holding the internal state
|
|
276
|
+ * was passed in by the caller.)
|
|
277
|
+ */
|
|
278
|
+
|
|
279
|
+ /* 2. If requested_number_of_bits >
|
|
280
|
+ * max_number_of_bits_per_request, then return an
|
|
281
|
+ * ERROR_FLAG.
|
|
282
|
+ */
|
|
283
|
+ if ( len > DRBG_MAX_GENERATED_LEN_BYTES ) {
|
|
284
|
+ DBGC ( state, "DRBG %p request too long (%zd bytes)\n",
|
|
285
|
+ state, len );
|
|
286
|
+ return -ERANGE;
|
|
287
|
+ }
|
|
288
|
+
|
|
289
|
+ /* 3. If requested_security_strength > the security_strength
|
|
290
|
+ * indicated in the internal state, then return an
|
|
291
|
+ * ERROR_FLAG.
|
|
292
|
+ *
|
|
293
|
+ * (Nothing to do since only a single security strength is
|
|
294
|
+ * supported.)
|
|
295
|
+ */
|
|
296
|
+
|
|
297
|
+ /* 4. If the length of the additional_input >
|
|
298
|
+ * max_additional_input_length, then return an ERROR_FLAG.
|
|
299
|
+ */
|
|
300
|
+ if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {
|
|
301
|
+ DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",
|
|
302
|
+ state, additional_len );
|
|
303
|
+ return -ERANGE;
|
|
304
|
+ }
|
|
305
|
+
|
|
306
|
+ /* 5. If prediction_resistance_request is set, and
|
|
307
|
+ * prediction_resistance_flag is not set, then return an
|
|
308
|
+ * ERROR_FLAG.
|
|
309
|
+ *
|
|
310
|
+ * (Nothing to do since prediction resistance is always
|
|
311
|
+ * supported.)
|
|
312
|
+ */
|
|
313
|
+
|
|
314
|
+ /* 6. Clear the reseed_required_flag. */
|
|
315
|
+ state->reseed_required = 0;
|
|
316
|
+
|
|
317
|
+ step_7:
|
|
318
|
+ /* 7. If reseed_required_flag is set, or if
|
|
319
|
+ * prediction_resistance_request is set, then
|
|
320
|
+ */
|
|
321
|
+ if ( state->reseed_required || prediction_resist ) {
|
|
322
|
+
|
|
323
|
+ /* 7.1 status = Reseed_function ( state_handle,
|
|
324
|
+ * prediction_resistance_request,
|
|
325
|
+ * additional_input )
|
|
326
|
+ * 7.2 If status indicates an ERROR, then return
|
|
327
|
+ * status.
|
|
328
|
+ */
|
|
329
|
+ if ( ( rc = drbg_reseed ( state, additional,
|
|
330
|
+ additional_len ) ) != 0 ) {
|
|
331
|
+ DBGC ( state, "DRBG %p could not reseed: %s\n",
|
|
332
|
+ state, strerror ( rc ) );
|
|
333
|
+ return rc;
|
|
334
|
+ }
|
|
335
|
+
|
|
336
|
+ /* 7.3 Using state_handle, obtain the new internal
|
|
337
|
+ * state.
|
|
338
|
+ *
|
|
339
|
+ * (Nothing to do since the internal state has been
|
|
340
|
+ * updated in-situ.)
|
|
341
|
+ */
|
|
342
|
+
|
|
343
|
+ /* 7.4 additional_input = the Null string. */
|
|
344
|
+ additional = NULL;
|
|
345
|
+ additional_len = 0;
|
|
346
|
+
|
|
347
|
+ /* 7.5 Clear the reseed_required_flag. */
|
|
348
|
+ state->reseed_required = 0;
|
|
349
|
+ }
|
|
350
|
+
|
|
351
|
+ /* 8. ( status, pseudorandom_bits, new_working_state ) =
|
|
352
|
+ * Generate_algorithm ( working_state,
|
|
353
|
+ * requested_number_of_bits, additional_input ).
|
|
354
|
+ */
|
|
355
|
+ rc = drbg_generate_algorithm ( state, additional, additional_len,
|
|
356
|
+ data, len );
|
|
357
|
+
|
|
358
|
+ /* 9. If status indicates that a reseed is required before
|
|
359
|
+ * the requested bits can be generated, then
|
|
360
|
+ */
|
|
361
|
+ if ( rc != 0 ) {
|
|
362
|
+
|
|
363
|
+ /* 9.1 Set the reseed_required_flag. */
|
|
364
|
+ state->reseed_required = 1;
|
|
365
|
+
|
|
366
|
+ /* 9.2 If the prediction_resistance_flag is set, then
|
|
367
|
+ * set the prediction_resistance_request
|
|
368
|
+ * indication.
|
|
369
|
+ */
|
|
370
|
+ prediction_resist = 1;
|
|
371
|
+
|
|
372
|
+ /* 9.3 Go to step 7. */
|
|
373
|
+ goto step_7;
|
|
374
|
+ }
|
|
375
|
+
|
|
376
|
+ /* 10. Replace the old working_state in the internal state
|
|
377
|
+ * indicated by state_handle with the values of
|
|
378
|
+ * new_working_state.
|
|
379
|
+ *
|
|
380
|
+ * (Nothing to do since the working state has already been
|
|
381
|
+ * updated in-situ.)
|
|
382
|
+ */
|
|
383
|
+
|
|
384
|
+ /* 11. Return SUCCESS and pseudorandom_bits. */
|
|
385
|
+ return 0;
|
|
386
|
+}
|
|
387
|
+
|
|
388
|
+/**
|
|
389
|
+ * Uninstantiate DRBG
|
|
390
|
+ *
|
|
391
|
+ * @v state Algorithm state
|
|
392
|
+ *
|
|
393
|
+ * This is the Uninstantiate_function defined in ANS X9.82 Part 3-2007
|
|
394
|
+ * Section 9.5 (NIST SP 800-90 Section 9.4).
|
|
395
|
+ */
|
|
396
|
+void drbg_uninstantiate ( struct drbg_state *state ) {
|
|
397
|
+
|
|
398
|
+ DBGC ( state, "DRBG %p uninstantiate\n", state );
|
|
399
|
+
|
|
400
|
+ /* Sanity checks */
|
|
401
|
+ assert ( state != NULL );
|
|
402
|
+
|
|
403
|
+ /* 1. If state_handle indicates an invalid state, then return
|
|
404
|
+ * an ERROR_FLAG.
|
|
405
|
+ *
|
|
406
|
+ * (Nothing to do since the memory holding the internal state
|
|
407
|
+ * was passed in by the caller.)
|
|
408
|
+ */
|
|
409
|
+
|
|
410
|
+ /* 2. Erase the contents of the internal state indicated by
|
|
411
|
+ * state_handle.
|
|
412
|
+ */
|
|
413
|
+ memset ( state, 0, sizeof ( *state ) );
|
|
414
|
+
|
|
415
|
+ /* 3. Return SUCCESS. */
|
|
416
|
+}
|