robin.thoni
/
ipxe


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153
							#ifndef _IPXE_HMAC_DRBG_H
#define _IPXE_HMAC_DRBG_H

/** @file
 *
 * HMAC_DRBG algorithm
 *
 */

FILE_LICENCE ( GPL2_OR_LATER );

#include <stdint.h>
#include <ipxe/sha1.h>

/** Use SHA-1 as the underlying hash algorithm
 *
 * HMAC_DRBG using SHA-1 is an Approved algorithm in ANS X9.82.
 */
#define hmac_drbg_algorithm sha1_algorithm

/** Maximum security strength
 *
 * The maximum security strength of HMAC_DRBG using SHA-1 is 128 bits
 * (according to the list of maximum security strengths documented in
 * NIST SP 800-57 Part 1 Section 5.6.1 Table 3).
 */
#define HMAC_DRBG_MAX_SECURITY_STRENGTH 128

/** Security strength
 *
 * For the sake of implementation simplicity, only a single security
 * strength is supported, which is the maximum security strength
 * supported by the algorithm.
 */
#define HMAC_DRBG_SECURITY_STRENGTH HMAC_DRBG_MAX_SECURITY_STRENGTH

/** Underlying hash algorithm output length (in bytes) */
#define HMAC_DRBG_OUTLEN_BYTES SHA1_DIGEST_SIZE

/** Required minimum entropy for instantiate and reseed
 *
 * The minimum required entropy for HMAC_DRBG is equal to the security
 * strength according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2
 * (NIST SP 800-90 Section 10.1 Table 2).
 */
#define HMAC_DRBG_MIN_ENTROPY_BYTES ( HMAC_DRBG_SECURITY_STRENGTH / 8 )

/** Minimum entropy input length
 *
 * The minimum entropy input length for HMAC_DRBG is equal to the
 * security strength according to ANS X9.82 Part 3-2007 Section 10.2.1
 * Table 2 (NIST SP 800-90 Section 10.1 Table 2).
 */
#define HMAC_DRBG_MIN_ENTROPY_LEN_BYTES ( HMAC_DRBG_SECURITY_STRENGTH / 8 )

/** Maximum entropy input length
 *
 * The maximum entropy input length for HMAC_DRBG is 2^35 bits
 * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP
 * 800-90 Section 10.1 Table 2).
 *
 * We choose to allow up to 32 bytes.
 */
#define HMAC_DRBG_MAX_ENTROPY_LEN_BYTES 32

/** Maximum personalisation string length
 *
 * The maximum permitted personalisation string length for HMAC_DRBG
 * is 2^35 bits according to ANS X9.82 Part 3-2007 Section 10.2.1
 * Table 1 (NIST SP 800-90 Section 10.1 Table 2).
 *
 * We choose to allow up to 2^32-1 bytes (i.e. 2^35-8 bits).
 */
#define HMAC_DRBG_MAX_PERSONAL_LEN_BYTES 0xffffffffUL

/** Maximum additional input length
 *
 * The maximum permitted additional input length for HMAC_DRBG is 2^35
 * bits according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 1
 * (NIST SP 800-90 Section 10.1 Table 2).
 *
 * We choose to allow up to 2^32-1 bytes (i.e. 2^35-8 bits).
 */
#define HMAC_DRBG_MAX_ADDITIONAL_LEN_BYTES 0xffffffffUL

/** Maximum length of generated pseudorandom data per request
 *
 * The maximum number of bits per request for HMAC_DRBG is 2^19 bits
 * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 1 (NIST SP
 * 800-90 Section 10.1 Table 2).
 *
 * We choose to allow up to 2^16-1 bytes (i.e. 2^19-8 bits).
 */
#define HMAC_DRBG_MAX_GENERATED_LEN_BYTES 0x0000ffffUL

/** Reseed interval
 *
 * The maximum permitted reseed interval for HMAC_DRBG using SHA-1 is
 * 2^48 according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2
 * (NIST SP 800-90 Section 10.1 Table 2).  However, the sample
 * implementation given in ANS X9.82 Part 3-2007 Annex E.2.1 (NIST SP
 * 800-90 Appendix F.2) shows a reseed interval of 10000.
 *
 * We choose a very conservative reseed interval.
 */
#define HMAC_DRBG_RESEED_INTERVAL 1024

/** Underlying hash algorithm context size (in bytes) */
#define HMAC_DRBG_CTX_SIZE SHA1_CTX_SIZE

/**
 * HMAC_DRBG internal state
 *
 * This structure is defined by ANS X9.82 Part 3-2007 Section
 * 10.2.2.2.1 (NIST SP 800-90 Section 10.1.2.1).
 *
 * The "administrative information" portions (security_strength and
 * prediction_resistance) are design-time constants and so are not
 * present as fields in this structure.
 */
struct hmac_drbg_state {
	/** Current value
	 *
	 * "The value V of outlen bits, which is updated each time
	 * another outlen bits of output are produced"
	 */
	uint8_t value[HMAC_DRBG_OUTLEN_BYTES];
	/** Current key
	 *
	 * "The outlen-bit Key, which is updated at least once each
	 * time that the DRBG mechanism generates pseudorandom bits."
	 */
	uint8_t key[HMAC_DRBG_OUTLEN_BYTES];
	/** Reseed counter
	 *
	 * "A counter (reseed_counter) that indicates the number of
	 * requests for pseudorandom bits since instantiation or
	 * reseeding"
	 */
	unsigned int reseed_counter;
};

extern void hmac_drbg_instantiate ( struct hmac_drbg_state *state,
				    const void *entropy, size_t entropy_len,
				    const void *personal, size_t personal_len );
extern void hmac_drbg_reseed ( struct hmac_drbg_state *state,
			       const void *entropy, size_t entropy_len,
			       const void *additional, size_t additional_len );
extern int hmac_drbg_generate ( struct hmac_drbg_state *state,
				const void *additional, size_t additional_len,
				void *data, size_t len );

#endif /* _IPXE_HMAC_DRBG_H */