You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

drbg.c 13KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431
  1. /*
  2. * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
  3. *
  4. * This program is free software; you can redistribute it and/or
  5. * modify it under the terms of the GNU General Public License as
  6. * published by the Free Software Foundation; either version 2 of the
  7. * License, or any later version.
  8. *
  9. * This program is distributed in the hope that it will be useful, but
  10. * WITHOUT ANY WARRANTY; without even the implied warranty of
  11. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  12. * General Public License for more details.
  13. *
  14. * You should have received a copy of the GNU General Public License
  15. * along with this program; if not, write to the Free Software
  16. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  17. * 02110-1301, USA.
  18. *
  19. * You can also choose to distribute this program under the terms of
  20. * the Unmodified Binary Distribution Licence (as given in the file
  21. * COPYING.UBDL), provided that you have satisfied its requirements.
  22. */
  23. FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
  24. /** @file
  25. *
  26. * DRBG mechanism
  27. *
  28. * This mechanism is designed to comply with ANS X9.82 Part 3-2007
  29. * Section 9. This standard is not freely available, but most of the
  30. * text appears to be shared with NIST SP 800-90, which can be
  31. * downloaded from
  32. *
  33. * http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
  34. *
  35. * Where possible, references are given to both documents. In the
  36. * case of any disagreement, ANS X9.82 takes priority over NIST SP
  37. * 800-90. (In particular, note that some algorithms that are
  38. * Approved by NIST SP 800-90 are not Approved by ANS X9.82.)
  39. */
  40. #include <stdint.h>
  41. #include <string.h>
  42. #include <errno.h>
  43. #include <assert.h>
  44. #include <ipxe/entropy.h>
  45. #include <ipxe/drbg.h>
  46. /**
  47. * Instantiate DRBG
  48. *
  49. * @v state Algorithm state to be initialised
  50. * @v personal Personalisation string
  51. * @v personal_len Length of personalisation string
  52. * @ret rc Return status code
  53. *
  54. * This is the Instantiate_function defined in ANS X9.82 Part 3-2007
  55. * Section 9.2 (NIST SP 800-90 Section 9.1).
  56. *
  57. * Only a single security strength is supported, and prediction
  58. * resistance is always enabled. The nonce is accounted for by
  59. * increasing the entropy input, as per ANS X9.82 Part 3-2007 Section
  60. * 8.4.2 (NIST SP 800-90 Section 8.6.7).
  61. */
  62. int drbg_instantiate ( struct drbg_state *state, const void *personal,
  63. size_t personal_len ) {
  64. unsigned int entropy_bits = ( ( 3 * DRBG_SECURITY_STRENGTH + 1 ) / 2 );
  65. size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;
  66. size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;
  67. uint8_t data[max_len];
  68. int len;
  69. int rc;
  70. DBGC ( state, "DRBG %p instantiate\n", state );
  71. /* Sanity checks */
  72. assert ( state != NULL );
  73. /* 1. If requested_instantiation_security_strength >
  74. * highest_supported_security_strength, then return an
  75. * ERROR_FLAG
  76. */
  77. if ( DRBG_SECURITY_STRENGTH > DRBG_MAX_SECURITY_STRENGTH ) {
  78. DBGC ( state, "DRBG %p cannot support security strength %d\n",
  79. state, DRBG_SECURITY_STRENGTH );
  80. return -ENOTSUP;
  81. }
  82. /* 2. If prediction_resistance_flag is set, and prediction
  83. * resistance is not supported, then return an ERROR_FLAG
  84. *
  85. * (Nothing to do since prediction resistance is always
  86. * supported.)
  87. */
  88. /* 3. If the length of the personalization_string >
  89. * max_personalization_string_length, return an ERROR_FLAG
  90. */
  91. if ( personal_len > DRBG_MAX_PERSONAL_LEN_BYTES ) {
  92. DBGC ( state, "DRBG %p personalisation string too long (%zd "
  93. "bytes)\n", state, personal_len );
  94. return -ERANGE;
  95. }
  96. /* 4. Set security_strength to the nearest security strength
  97. * greater than or equal to
  98. * requested_instantiation_security_strength.
  99. *
  100. * (Nothing to do since we support only a single security
  101. * strength.)
  102. */
  103. /* 5. Using the security_strength, select appropriate DRBG
  104. * mechanism parameters.
  105. *
  106. * (Nothing to do since we support only a single security
  107. * strength.)
  108. */
  109. /* 6. ( status, entropy_input ) = Get_entropy_input (
  110. * security_strength, min_length, max_length,
  111. * prediction_resistance_request )
  112. * 7. If an ERROR is returned in step 6, return a
  113. * CATASTROPHIC_ERROR_FLAG.
  114. * 8. Obtain a nonce.
  115. */
  116. len = get_entropy_input ( entropy_bits, data, min_len,
  117. sizeof ( data ) );
  118. if ( len < 0 ) {
  119. rc = len;
  120. DBGC ( state, "DRBG %p could not get entropy input: %s\n",
  121. state, strerror ( rc ) );
  122. return rc;
  123. }
  124. assert ( len >= ( int ) min_len );
  125. assert ( len <= ( int ) sizeof ( data ) );
  126. /* 9. initial_working_state = Instantiate_algorithm (
  127. * entropy_input, nonce, personalization_string ).
  128. */
  129. drbg_instantiate_algorithm ( state, data, len, personal, personal_len );
  130. /* 10. Get a state_handle for a currently empty state. If an
  131. * empty internal state cannot be found, return an
  132. * ERROR_FLAG.
  133. * 11. Set the internal state indicated by state_handle to
  134. * the initial values for the internal state (i.e. set
  135. * the working_state to the values returned as
  136. * initial_working_state in step 9 and any other values
  137. * required for the working_state, and set the
  138. * administrative information to the appropriate values.
  139. *
  140. * (Almost nothing to do since the memory to hold the state
  141. * was passed in by the caller and has already been updated
  142. * in-situ.)
  143. */
  144. state->reseed_required = 0;
  145. state->valid = 1;
  146. /* 12. Return SUCCESS and state_handle. */
  147. return 0;
  148. }
  149. /**
  150. * Reseed DRBG
  151. *
  152. * @v state Algorithm state
  153. * @v additional Additional input
  154. * @v additional_len Length of additional input
  155. * @ret rc Return status code
  156. *
  157. * This is the Reseed_function defined in ANS X9.82 Part 3-2007
  158. * Section 9.3 (NIST SP 800-90 Section 9.2).
  159. *
  160. * Prediction resistance is always enabled.
  161. */
  162. int drbg_reseed ( struct drbg_state *state, const void *additional,
  163. size_t additional_len ) {
  164. unsigned int entropy_bits = DRBG_SECURITY_STRENGTH;
  165. size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;
  166. size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;
  167. uint8_t data[max_len];
  168. int len;
  169. int rc;
  170. DBGC ( state, "DRBG %p reseed\n", state );
  171. /* Sanity checks */
  172. assert ( state != NULL );
  173. /* 1. Using state_handle, obtain the current internal state.
  174. * If state_handle indicates an invalid or empty internal
  175. * state, return an ERROR_FLAG.
  176. *
  177. * (Almost nothing to do since the memory holding the internal
  178. * state was passed in by the caller.)
  179. */
  180. if ( ! state->valid ) {
  181. DBGC ( state, "DRBG %p not valid\n", state );
  182. return -EINVAL;
  183. }
  184. /* 2. If prediction_resistance_request is set, and
  185. * prediction_resistance_flag is not set, then return an
  186. * ERROR_FLAG.
  187. *
  188. * (Nothing to do since prediction resistance is always
  189. * supported.)
  190. */
  191. /* 3. If the length of the additional_input >
  192. * max_additional_input_length, return an ERROR_FLAG.
  193. */
  194. if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {
  195. DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",
  196. state, additional_len );
  197. return -ERANGE;
  198. }
  199. /* 4. ( status, entropy_input ) = Get_entropy_input (
  200. * security_strength, min_length, max_length,
  201. * prediction_resistance_request ).
  202. *
  203. * 5. If an ERROR is returned in step 4, return a
  204. * CATASTROPHIC_ERROR_FLAG.
  205. */
  206. len = get_entropy_input ( entropy_bits, data, min_len,
  207. sizeof ( data ) );
  208. if ( len < 0 ) {
  209. rc = len;
  210. DBGC ( state, "DRBG %p could not get entropy input: %s\n",
  211. state, strerror ( rc ) );
  212. return rc;
  213. }
  214. /* 6. new_working_state = Reseed_algorithm ( working_state,
  215. * entropy_input, additional_input ).
  216. */
  217. drbg_reseed_algorithm ( state, data, len, additional, additional_len );
  218. /* 7. Replace the working_state in the internal state
  219. * indicated by state_handle with the values of
  220. * new_working_state obtained in step 6.
  221. *
  222. * (Nothing to do since the state has already been updated in-situ.)
  223. */
  224. /* 8. Return SUCCESS. */
  225. return 0;
  226. }
  227. /**
  228. * Generate pseudorandom bits using DRBG
  229. *
  230. * @v state Algorithm state
  231. * @v additional Additional input
  232. * @v additional_len Length of additional input
  233. * @v prediction_resist Prediction resistance is required
  234. * @v data Output buffer
  235. * @v len Length of output buffer
  236. * @ret rc Return status code
  237. *
  238. * This is the Generate_function defined in ANS X9.82 Part 3-2007
  239. * Section 9.4 (NIST SP 800-90 Section 9.3).
  240. *
  241. * Requests must be for an integral number of bytes. Only a single
  242. * security strength is supported. Prediction resistance is supported
  243. * if requested.
  244. */
  245. int drbg_generate ( struct drbg_state *state, const void *additional,
  246. size_t additional_len, int prediction_resist,
  247. void *data, size_t len ) {
  248. int rc;
  249. DBGC ( state, "DRBG %p generate\n", state );
  250. /* Sanity checks */
  251. assert ( state != NULL );
  252. assert ( data != NULL );
  253. /* 1. Using state_handle, obtain the current internal state
  254. * for the instantiation. If state_handle indicates an
  255. * invalid or empty internal state, then return an ERROR_FLAG.
  256. *
  257. * (Almost nothing to do since the memory holding the internal
  258. * state was passed in by the caller.)
  259. */
  260. if ( ! state->valid ) {
  261. DBGC ( state, "DRBG %p not valid\n", state );
  262. return -EINVAL;
  263. }
  264. /* 2. If requested_number_of_bits >
  265. * max_number_of_bits_per_request, then return an
  266. * ERROR_FLAG.
  267. */
  268. if ( len > DRBG_MAX_GENERATED_LEN_BYTES ) {
  269. DBGC ( state, "DRBG %p request too long (%zd bytes)\n",
  270. state, len );
  271. return -ERANGE;
  272. }
  273. /* 3. If requested_security_strength > the security_strength
  274. * indicated in the internal state, then return an
  275. * ERROR_FLAG.
  276. *
  277. * (Nothing to do since only a single security strength is
  278. * supported.)
  279. */
  280. /* 4. If the length of the additional_input >
  281. * max_additional_input_length, then return an ERROR_FLAG.
  282. */
  283. if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {
  284. DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",
  285. state, additional_len );
  286. return -ERANGE;
  287. }
  288. /* 5. If prediction_resistance_request is set, and
  289. * prediction_resistance_flag is not set, then return an
  290. * ERROR_FLAG.
  291. *
  292. * (Nothing to do since prediction resistance is always
  293. * supported.)
  294. */
  295. /* 6. Clear the reseed_required_flag. */
  296. state->reseed_required = 0;
  297. step_7:
  298. /* 7. If reseed_required_flag is set, or if
  299. * prediction_resistance_request is set, then
  300. */
  301. if ( state->reseed_required || prediction_resist ) {
  302. /* 7.1 status = Reseed_function ( state_handle,
  303. * prediction_resistance_request,
  304. * additional_input )
  305. * 7.2 If status indicates an ERROR, then return
  306. * status.
  307. */
  308. if ( ( rc = drbg_reseed ( state, additional,
  309. additional_len ) ) != 0 ) {
  310. DBGC ( state, "DRBG %p could not reseed: %s\n",
  311. state, strerror ( rc ) );
  312. return rc;
  313. }
  314. /* 7.3 Using state_handle, obtain the new internal
  315. * state.
  316. *
  317. * (Nothing to do since the internal state has been
  318. * updated in-situ.)
  319. */
  320. /* 7.4 additional_input = the Null string. */
  321. additional = NULL;
  322. additional_len = 0;
  323. /* 7.5 Clear the reseed_required_flag. */
  324. state->reseed_required = 0;
  325. }
  326. /* 8. ( status, pseudorandom_bits, new_working_state ) =
  327. * Generate_algorithm ( working_state,
  328. * requested_number_of_bits, additional_input ).
  329. */
  330. rc = drbg_generate_algorithm ( state, additional, additional_len,
  331. data, len );
  332. /* 9. If status indicates that a reseed is required before
  333. * the requested bits can be generated, then
  334. */
  335. if ( rc != 0 ) {
  336. /* 9.1 Set the reseed_required_flag. */
  337. state->reseed_required = 1;
  338. /* 9.2 If the prediction_resistance_flag is set, then
  339. * set the prediction_resistance_request
  340. * indication.
  341. */
  342. prediction_resist = 1;
  343. /* 9.3 Go to step 7. */
  344. goto step_7;
  345. }
  346. /* 10. Replace the old working_state in the internal state
  347. * indicated by state_handle with the values of
  348. * new_working_state.
  349. *
  350. * (Nothing to do since the working state has already been
  351. * updated in-situ.)
  352. */
  353. /* 11. Return SUCCESS and pseudorandom_bits. */
  354. return 0;
  355. }
  356. /**
  357. * Uninstantiate DRBG
  358. *
  359. * @v state Algorithm state
  360. *
  361. * This is the Uninstantiate_function defined in ANS X9.82 Part 3-2007
  362. * Section 9.5 (NIST SP 800-90 Section 9.4).
  363. */
  364. void drbg_uninstantiate ( struct drbg_state *state ) {
  365. DBGC ( state, "DRBG %p uninstantiate\n", state );
  366. /* Sanity checks */
  367. assert ( state != NULL );
  368. /* 1. If state_handle indicates an invalid state, then return
  369. * an ERROR_FLAG.
  370. *
  371. * (Nothing to do since the memory holding the internal state
  372. * was passed in by the caller.)
  373. */
  374. /* 2. Erase the contents of the internal state indicated by
  375. * state_handle.
  376. */
  377. memset ( state, 0, sizeof ( *state ) );
  378. /* 3. Return SUCCESS. */
  379. }