robin.thoni
/
ipxe
Beobachten 1
Favorisieren 0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 11 Wiki Aktivität
Du kannst nicht mehr als 25 Themen auswählen Themen müssen mit entweder einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
4076 Commits
2 Branches
Struktur: 196751ce95
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „196751ce95“
${ noResults }
ipxe/src/crypto/drbg.c

drbg.c 12KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426 
  1. /*

  2.  * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.

  3.  *

  4.  * This program is free software; you can redistribute it and/or

  5.  * modify it under the terms of the GNU General Public License as

  6.  * published by the Free Software Foundation; either version 2 of the

  7.  * License, or any later version.

  8.  *

  9.  * This program is distributed in the hope that it will be useful, but

  10.  * WITHOUT ANY WARRANTY; without even the implied warranty of

  11.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  12.  * General Public License for more details.

  13.  *

  14.  * You should have received a copy of the GNU General Public License

  15.  * along with this program; if not, write to the Free Software

  16.  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

  17.  */

  18. 

  19. FILE_LICENCE ( GPL2_OR_LATER );

  20. 

  21. /** @file

  22.  *

  23.  * DRBG mechanism

  24.  *

  25.  * This mechanism is designed to comply with ANS X9.82 Part 3-2007

  26.  * Section 9.  This standard is not freely available, but most of the

  27.  * text appears to be shared with NIST SP 800-90, which can be

  28.  * downloaded from

  29.  *

  30.  *     http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf

  31.  *

  32.  * Where possible, references are given to both documents.  In the

  33.  * case of any disagreement, ANS X9.82 takes priority over NIST SP

  34.  * 800-90.  (In particular, note that some algorithms that are

  35.  * Approved by NIST SP 800-90 are not Approved by ANS X9.82.)

  36.  */

  37. 

  38. #include <stdint.h>

  39. #include <string.h>

  40. #include <errno.h>

  41. #include <assert.h>

  42. #include <ipxe/entropy.h>

  43. #include <ipxe/drbg.h>

  44. 

  45. /**

  46.  * Instantiate DRBG

  47.  *

  48.  * @v state		Algorithm state to be initialised

  49.  * @v personal		Personalisation string

  50.  * @v personal_len	Length of personalisation string

  51.  * @ret rc		Return status code

  52.  *

  53.  * This is the Instantiate_function defined in ANS X9.82 Part 3-2007

  54.  * Section 9.2 (NIST SP 800-90 Section 9.1).

  55.  *

  56.  * Only a single security strength is supported, and prediction

  57.  * resistance is always enabled.  The nonce is accounted for by

  58.  * increasing the entropy input, as per ANS X9.82 Part 3-2007 Section

  59.  * 8.4.2 (NIST SP 800-90 Section 8.6.7).

  60.  */

  61. int drbg_instantiate ( struct drbg_state *state, const void *personal,

  62. 		       size_t personal_len ) {

  63. 	unsigned int entropy_bits = ( ( 3 * DRBG_SECURITY_STRENGTH + 1 ) / 2 );

  64. 	size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;

  65. 	size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;

  66. 	uint8_t data[max_len];

  67. 	int len;

  68. 	int rc;

  69. 

  70. 	DBGC ( state, "DRBG %p instantiate\n", state );

  71. 

  72. 	/* Sanity checks */

  73. 	assert ( state != NULL );

  74. 

  75. 	/* 1.  If requested_instantiation_security_strength >

  76. 	 *     highest_supported_security_strength, then return an

  77. 	 *     ERROR_FLAG

  78. 	 */

  79. 	if ( DRBG_SECURITY_STRENGTH > DRBG_MAX_SECURITY_STRENGTH ) {

  80. 		DBGC ( state, "DRBG %p cannot support security strength %d\n",

  81. 		       state, DRBG_SECURITY_STRENGTH );

  82. 		return -ENOTSUP;

  83. 	}

  84. 

  85. 	/* 2.  If prediction_resistance_flag is set, and prediction

  86. 	 *     resistance is not supported, then return an ERROR_FLAG

  87. 	 *

  88. 	 * (Nothing to do since prediction resistance is always

  89. 	 * supported.)

  90. 	 */

  91. 

  92. 	/* 3.  If the length of the personalization_string >

  93. 	 *     max_personalization_string_length, return an ERROR_FLAG

  94. 	 */

  95. 	if ( personal_len > DRBG_MAX_PERSONAL_LEN_BYTES ) {

  96. 		DBGC ( state, "DRBG %p personalisation string too long (%zd "

  97. 		       "bytes)\n", state, personal_len );

  98. 		return -ERANGE;

  99. 	}

  100. 

  101. 	/* 4.  Set security_strength to the nearest security strength

  102. 	 *     greater than or equal to

  103. 	 *     requested_instantiation_security_strength.

  104. 	 *

  105. 	 * (Nothing to do since we support only a single security

  106. 	 * strength.)

  107. 	 */

  108. 

  109. 	/* 5.  Using the security_strength, select appropriate DRBG

  110. 	 *     mechanism parameters.

  111. 	 *

  112. 	 * (Nothing to do since we support only a single security

  113. 	 * strength.)

  114. 	 */

  115. 

  116. 	/* 6.  ( status, entropy_input ) = Get_entropy_input (

  117. 	 *     security_strength, min_length, max_length,

  118. 	 *     prediction_resistance_request )

  119. 	 * 7.  If an ERROR is returned in step 6, return a

  120. 	 *     CATASTROPHIC_ERROR_FLAG.

  121. 	 * 8.  Obtain a nonce.

  122. 	 */

  123. 	len = get_entropy_input ( entropy_bits, data, min_len,

  124. 				  sizeof ( data ) );

  125. 	if ( len < 0 ) {

  126. 		rc = len;

  127. 		DBGC ( state, "DRBG %p could not get entropy input: %s\n",

  128. 		       state, strerror ( rc ) );

  129. 		return rc;

  130. 	}

  131. 	assert ( len >= ( int ) min_len );

  132. 	assert ( len <= ( int ) sizeof ( data ) );

  133. 

  134. 	/* 9.  initial_working_state = Instantiate_algorithm (

  135. 	 *     entropy_input, nonce, personalization_string ).

  136. 	 */

  137. 	drbg_instantiate_algorithm ( state, data, len, personal, personal_len );

  138. 

  139. 	/* 10.  Get a state_handle for a currently empty state.  If an

  140. 	 *      empty internal state cannot be found, return an

  141. 	 *      ERROR_FLAG.

  142. 	 * 11.  Set the internal state indicated by state_handle to

  143. 	 *      the initial values for the internal state (i.e. set

  144. 	 *      the working_state to the values returned as

  145. 	 *      initial_working_state in step 9 and any other values

  146. 	 *      required for the working_state, and set the

  147. 	 *      administrative information to the appropriate values.

  148. 	 *

  149. 	 * (Almost nothing to do since the memory to hold the state

  150. 	 * was passed in by the caller and has already been updated

  151. 	 * in-situ.)

  152. 	 */

  153. 	state->reseed_required = 0;

  154. 	state->valid = 1;

  155. 

  156. 	/* 12.  Return SUCCESS and state_handle. */

  157. 	return 0;

  158. }

  159. 

  160. /**

  161.  * Reseed DRBG

  162.  *

  163.  * @v state		Algorithm state

  164.  * @v additional	Additional input

  165.  * @v additional_len	Length of additional input

  166.  * @ret rc		Return status code

  167.  *

  168.  * This is the Reseed_function defined in ANS X9.82 Part 3-2007

  169.  * Section 9.3 (NIST SP 800-90 Section 9.2).

  170.  *

  171.  * Prediction resistance is always enabled.

  172.  */

  173. int drbg_reseed ( struct drbg_state *state, const void *additional,

  174. 		  size_t additional_len ) {

  175. 	unsigned int entropy_bits = DRBG_SECURITY_STRENGTH;

  176. 	size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;

  177. 	size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;

  178. 	uint8_t data[max_len];

  179. 	int len;

  180. 	int rc;

  181. 

  182. 	DBGC ( state, "DRBG %p reseed\n", state );

  183. 

  184. 	/* Sanity checks */

  185. 	assert ( state != NULL );

  186. 

  187. 	/* 1.  Using state_handle, obtain the current internal state.

  188. 	 *     If state_handle indicates an invalid or empty internal

  189. 	 *     state, return an ERROR_FLAG.

  190. 	 *

  191. 	 * (Almost nothing to do since the memory holding the internal

  192. 	 * state was passed in by the caller.)

  193. 	 */

  194. 	if ( ! state->valid ) {

  195. 		DBGC ( state, "DRBG %p not valid\n", state );

  196. 		return -EINVAL;

  197. 	}

  198. 

  199. 	/* 2.  If prediction_resistance_request is set, and

  200. 	 *     prediction_resistance_flag is not set, then return an

  201. 	 *     ERROR_FLAG.

  202. 	 *

  203. 	 * (Nothing to do since prediction resistance is always

  204. 	 * supported.)

  205. 	 */

  206. 

  207. 	/* 3.  If the length of the additional_input >

  208. 	 *     max_additional_input_length, return an ERROR_FLAG.

  209. 	 */

  210. 	if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {

  211. 		DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",

  212. 		       state, additional_len );

  213. 		return -ERANGE;

  214. 	}

  215. 

  216. 	/* 4.  ( status, entropy_input ) = Get_entropy_input (

  217. 	 *     security_strength, min_length, max_length,

  218. 	 *     prediction_resistance_request ).

  219. 	 *

  220. 	 * 5.  If an ERROR is returned in step 4, return a

  221. 	 *     CATASTROPHIC_ERROR_FLAG.

  222. 	 */

  223. 	len = get_entropy_input ( entropy_bits, data, min_len,

  224. 				  sizeof ( data ) );

  225. 	if ( len < 0 ) {

  226. 		rc = len;

  227. 		DBGC ( state, "DRBG %p could not get entropy input: %s\n",

  228. 		       state, strerror ( rc ) );

  229. 		return rc;

  230. 	}

  231. 

  232. 	/* 6.  new_working_state = Reseed_algorithm ( working_state,

  233. 	 *     entropy_input, additional_input ).

  234. 	 */

  235. 	drbg_reseed_algorithm ( state, data, len, additional, additional_len );

  236. 

  237. 	/* 7.  Replace the working_state in the internal state

  238. 	 *     indicated by state_handle with the values of

  239. 	 *     new_working_state obtained in step 6.

  240. 	 *

  241. 	 * (Nothing to do since the state has already been updated in-situ.)

  242. 	 */

  243. 

  244. 	/* 8.  Return SUCCESS. */

  245. 	return 0;

  246. }

  247. 

  248. /**

  249.  * Generate pseudorandom bits using DRBG

  250.  *

  251.  * @v state		Algorithm state

  252.  * @v additional	Additional input

  253.  * @v additional_len	Length of additional input

  254.  * @v prediction_resist	Prediction resistance is required

  255.  * @v data		Output buffer

  256.  * @v len		Length of output buffer

  257.  * @ret rc		Return status code

  258.  *

  259.  * This is the Generate_function defined in ANS X9.82 Part 3-2007

  260.  * Section 9.4 (NIST SP 800-90 Section 9.3).

  261.  *

  262.  * Requests must be for an integral number of bytes.  Only a single

  263.  * security strength is supported.  Prediction resistance is supported

  264.  * if requested.

  265.  */

  266. int drbg_generate ( struct drbg_state *state, const void *additional,

  267. 		    size_t additional_len, int prediction_resist,

  268. 		    void *data, size_t len ) {

  269. 	int rc;

  270. 

  271. 	DBGC ( state, "DRBG %p generate\n", state );

  272. 

  273. 	/* Sanity checks */

  274. 	assert ( state != NULL );

  275. 	assert ( data != NULL );

  276. 

  277. 	/* 1.  Using state_handle, obtain the current internal state

  278. 	 *     for the instantiation.  If state_handle indicates an

  279. 	 *     invalid or empty internal state, then return an ERROR_FLAG.

  280. 	 *

  281. 	 * (Almost nothing to do since the memory holding the internal

  282. 	 * state was passed in by the caller.)

  283. 	 */

  284. 	if ( ! state->valid ) {

  285. 		DBGC ( state, "DRBG %p not valid\n", state );

  286. 		return -EINVAL;

  287. 	}

  288. 

  289. 	/* 2.  If requested_number_of_bits >

  290. 	 *     max_number_of_bits_per_request, then return an

  291. 	 *     ERROR_FLAG.

  292. 	 */

  293. 	if ( len > DRBG_MAX_GENERATED_LEN_BYTES ) {

  294. 		DBGC ( state, "DRBG %p request too long (%zd bytes)\n",

  295. 		       state, len );

  296. 		return -ERANGE;

  297. 	}

  298. 

  299. 	/* 3.  If requested_security_strength > the security_strength

  300. 	 *     indicated in the internal state, then return an

  301. 	 *     ERROR_FLAG.

  302. 	 *

  303. 	 * (Nothing to do since only a single security strength is

  304. 	 * supported.)

  305. 	 */

  306. 

  307. 	/* 4.  If the length of the additional_input >

  308. 	 *     max_additional_input_length, then return an ERROR_FLAG.

  309. 	 */

  310. 	if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {

  311. 		DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",

  312. 		       state, additional_len );

  313. 		return -ERANGE;

  314. 	}

  315. 

  316. 	/* 5.  If prediction_resistance_request is set, and

  317. 	 *     prediction_resistance_flag is not set, then return an

  318. 	 *     ERROR_FLAG.

  319. 	 *

  320. 	 * (Nothing to do since prediction resistance is always

  321. 	 * supported.)

  322. 	 */

  323. 

  324. 	/* 6.  Clear the reseed_required_flag. */

  325. 	state->reseed_required = 0;

  326. 

  327.  step_7:

  328. 	/* 7.  If reseed_required_flag is set, or if

  329. 	 *     prediction_resistance_request is set, then

  330. 	 */

  331. 	if ( state->reseed_required || prediction_resist ) {

  332. 

  333. 		/* 7.1  status = Reseed_function ( state_handle,

  334. 		 *      prediction_resistance_request,

  335. 		 *      additional_input )

  336. 		 * 7.2  If status indicates an ERROR, then return

  337. 		 *      status.

  338. 		 */

  339. 		if ( ( rc = drbg_reseed ( state, additional,

  340. 					  additional_len ) ) != 0 ) {

  341. 			DBGC ( state, "DRBG %p could not reseed: %s\n",

  342. 			       state, strerror ( rc ) );

  343. 			return rc;

  344. 		}

  345. 

  346. 		/* 7.3  Using state_handle, obtain the new internal

  347. 		 *      state.

  348. 		 *

  349. 		 * (Nothing to do since the internal state has been

  350. 		 * updated in-situ.)

  351. 		 */

  352. 

  353. 		/* 7.4  additional_input = the Null string. */

  354. 		additional = NULL;

  355. 		additional_len = 0;

  356. 

  357. 		/* 7.5  Clear the reseed_required_flag. */

  358. 		state->reseed_required = 0;

  359. 	}

  360. 

  361. 	/* 8.  ( status, pseudorandom_bits, new_working_state ) =

  362. 	 *     Generate_algorithm ( working_state,

  363. 	 *     requested_number_of_bits, additional_input ).

  364. 	 */

  365. 	rc = drbg_generate_algorithm ( state, additional, additional_len,

  366. 				       data, len );

  367. 

  368. 	/* 9.  If status indicates that a reseed is required before

  369. 	 *     the requested bits can be generated, then

  370. 	 */

  371. 	if ( rc != 0 ) {

  372. 

  373. 		/* 9.1  Set the reseed_required_flag. */

  374. 		state->reseed_required = 1;

  375. 

  376. 		/* 9.2  If the prediction_resistance_flag is set, then

  377. 		 *      set the prediction_resistance_request

  378. 		 *      indication.

  379. 		 */

  380. 		prediction_resist = 1;

  381. 

  382. 		/* 9.3  Go to step 7. */

  383. 		goto step_7;

  384. 	}

  385. 

  386. 	/* 10.  Replace the old working_state in the internal state

  387. 	 *      indicated by state_handle with the values of

  388. 	 *      new_working_state.

  389. 	 *

  390. 	 * (Nothing to do since the working state has already been

  391. 	 * updated in-situ.)

  392. 	 */

  393. 

  394. 	/* 11.  Return SUCCESS and pseudorandom_bits. */

  395. 	return 0;

  396. }

  397. 

  398. /**

  399.  * Uninstantiate DRBG

  400.  *

  401.  * @v state		Algorithm state

  402.  *

  403.  * This is the Uninstantiate_function defined in ANS X9.82 Part 3-2007

  404.  * Section 9.5 (NIST SP 800-90 Section 9.4).

  405.  */

  406. void drbg_uninstantiate ( struct drbg_state *state ) {

  407. 

  408. 	DBGC ( state, "DRBG %p uninstantiate\n", state );

  409. 

  410. 	/* Sanity checks */

  411. 	assert ( state != NULL );

  412. 

  413. 	/* 1.  If state_handle indicates an invalid state, then return

  414. 	 *     an ERROR_FLAG.

  415. 	 *

  416. 	 * (Nothing to do since the memory holding the internal state

  417. 	 * was passed in by the caller.)

  418. 	 */

  419. 

  420. 	/* 2.  Erase the contents of the internal state indicated by

  421. 	 *     state_handle.

  422. 	 */

  423. 	memset ( state, 0, sizeof ( *state ) );

  424. 

  425. 	/* 3.  Return SUCCESS. */

  426. }