robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5243 Commits
2 Branches
Tree: fdad22a1ed
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fdad22a1ed'
${ noResults }
ipxe/src/crypto/drbg.c

drbg.c 13KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431 
  1. /*

  2.  * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.

  3.  *

  4.  * This program is free software; you can redistribute it and/or

  5.  * modify it under the terms of the GNU General Public License as

  6.  * published by the Free Software Foundation; either version 2 of the

  7.  * License, or any later version.

  8.  *

  9.  * This program is distributed in the hope that it will be useful, but

  10.  * WITHOUT ANY WARRANTY; without even the implied warranty of

  11.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  12.  * General Public License for more details.

  13.  *

  14.  * You should have received a copy of the GNU General Public License

  15.  * along with this program; if not, write to the Free Software

  16.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

  17.  * 02110-1301, USA.

  18.  *

  19.  * You can also choose to distribute this program under the terms of

  20.  * the Unmodified Binary Distribution Licence (as given in the file

  21.  * COPYING.UBDL), provided that you have satisfied its requirements.

  22.  */

  23. 

  24. FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

  25. 

  26. /** @file

  27.  *

  28.  * DRBG mechanism

  29.  *

  30.  * This mechanism is designed to comply with ANS X9.82 Part 3-2007

  31.  * Section 9.  This standard is not freely available, but most of the

  32.  * text appears to be shared with NIST SP 800-90, which can be

  33.  * downloaded from

  34.  *

  35.  *     http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf

  36.  *

  37.  * Where possible, references are given to both documents.  In the

  38.  * case of any disagreement, ANS X9.82 takes priority over NIST SP

  39.  * 800-90.  (In particular, note that some algorithms that are

  40.  * Approved by NIST SP 800-90 are not Approved by ANS X9.82.)

  41.  */

  42. 

  43. #include <stdint.h>

  44. #include <string.h>

  45. #include <errno.h>

  46. #include <assert.h>

  47. #include <ipxe/entropy.h>

  48. #include <ipxe/drbg.h>

  49. 

  50. /**

  51.  * Instantiate DRBG

  52.  *

  53.  * @v state		Algorithm state to be initialised

  54.  * @v personal		Personalisation string

  55.  * @v personal_len	Length of personalisation string

  56.  * @ret rc		Return status code

  57.  *

  58.  * This is the Instantiate_function defined in ANS X9.82 Part 3-2007

  59.  * Section 9.2 (NIST SP 800-90 Section 9.1).

  60.  *

  61.  * Only a single security strength is supported, and prediction

  62.  * resistance is always enabled.  The nonce is accounted for by

  63.  * increasing the entropy input, as per ANS X9.82 Part 3-2007 Section

  64.  * 8.4.2 (NIST SP 800-90 Section 8.6.7).

  65.  */

  66. int drbg_instantiate ( struct drbg_state *state, const void *personal,

  67. 		       size_t personal_len ) {

  68. 	unsigned int entropy_bits = ( ( 3 * DRBG_SECURITY_STRENGTH + 1 ) / 2 );

  69. 	size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;

  70. 	size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;

  71. 	uint8_t data[max_len];

  72. 	int len;

  73. 	int rc;

  74. 

  75. 	DBGC ( state, "DRBG %p instantiate\n", state );

  76. 

  77. 	/* Sanity checks */

  78. 	assert ( state != NULL );

  79. 

  80. 	/* 1.  If requested_instantiation_security_strength >

  81. 	 *     highest_supported_security_strength, then return an

  82. 	 *     ERROR_FLAG

  83. 	 */

  84. 	if ( DRBG_SECURITY_STRENGTH > DRBG_MAX_SECURITY_STRENGTH ) {

  85. 		DBGC ( state, "DRBG %p cannot support security strength %d\n",

  86. 		       state, DRBG_SECURITY_STRENGTH );

  87. 		return -ENOTSUP;

  88. 	}

  89. 

  90. 	/* 2.  If prediction_resistance_flag is set, and prediction

  91. 	 *     resistance is not supported, then return an ERROR_FLAG

  92. 	 *

  93. 	 * (Nothing to do since prediction resistance is always

  94. 	 * supported.)

  95. 	 */

  96. 

  97. 	/* 3.  If the length of the personalization_string >

  98. 	 *     max_personalization_string_length, return an ERROR_FLAG

  99. 	 */

  100. 	if ( personal_len > DRBG_MAX_PERSONAL_LEN_BYTES ) {

  101. 		DBGC ( state, "DRBG %p personalisation string too long (%zd "

  102. 		       "bytes)\n", state, personal_len );

  103. 		return -ERANGE;

  104. 	}

  105. 

  106. 	/* 4.  Set security_strength to the nearest security strength

  107. 	 *     greater than or equal to

  108. 	 *     requested_instantiation_security_strength.

  109. 	 *

  110. 	 * (Nothing to do since we support only a single security

  111. 	 * strength.)

  112. 	 */

  113. 

  114. 	/* 5.  Using the security_strength, select appropriate DRBG

  115. 	 *     mechanism parameters.

  116. 	 *

  117. 	 * (Nothing to do since we support only a single security

  118. 	 * strength.)

  119. 	 */

  120. 

  121. 	/* 6.  ( status, entropy_input ) = Get_entropy_input (

  122. 	 *     security_strength, min_length, max_length,

  123. 	 *     prediction_resistance_request )

  124. 	 * 7.  If an ERROR is returned in step 6, return a

  125. 	 *     CATASTROPHIC_ERROR_FLAG.

  126. 	 * 8.  Obtain a nonce.

  127. 	 */

  128. 	len = get_entropy_input ( entropy_bits, data, min_len,

  129. 				  sizeof ( data ) );

  130. 	if ( len < 0 ) {

  131. 		rc = len;

  132. 		DBGC ( state, "DRBG %p could not get entropy input: %s\n",

  133. 		       state, strerror ( rc ) );

  134. 		return rc;

  135. 	}

  136. 	assert ( len >= ( int ) min_len );

  137. 	assert ( len <= ( int ) sizeof ( data ) );

  138. 

  139. 	/* 9.  initial_working_state = Instantiate_algorithm (

  140. 	 *     entropy_input, nonce, personalization_string ).

  141. 	 */

  142. 	drbg_instantiate_algorithm ( state, data, len, personal, personal_len );

  143. 

  144. 	/* 10.  Get a state_handle for a currently empty state.  If an

  145. 	 *      empty internal state cannot be found, return an

  146. 	 *      ERROR_FLAG.

  147. 	 * 11.  Set the internal state indicated by state_handle to

  148. 	 *      the initial values for the internal state (i.e. set

  149. 	 *      the working_state to the values returned as

  150. 	 *      initial_working_state in step 9 and any other values

  151. 	 *      required for the working_state, and set the

  152. 	 *      administrative information to the appropriate values.

  153. 	 *

  154. 	 * (Almost nothing to do since the memory to hold the state

  155. 	 * was passed in by the caller and has already been updated

  156. 	 * in-situ.)

  157. 	 */

  158. 	state->reseed_required = 0;

  159. 	state->valid = 1;

  160. 

  161. 	/* 12.  Return SUCCESS and state_handle. */

  162. 	return 0;

  163. }

  164. 

  165. /**

  166.  * Reseed DRBG

  167.  *

  168.  * @v state		Algorithm state

  169.  * @v additional	Additional input

  170.  * @v additional_len	Length of additional input

  171.  * @ret rc		Return status code

  172.  *

  173.  * This is the Reseed_function defined in ANS X9.82 Part 3-2007

  174.  * Section 9.3 (NIST SP 800-90 Section 9.2).

  175.  *

  176.  * Prediction resistance is always enabled.

  177.  */

  178. int drbg_reseed ( struct drbg_state *state, const void *additional,

  179. 		  size_t additional_len ) {

  180. 	unsigned int entropy_bits = DRBG_SECURITY_STRENGTH;

  181. 	size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;

  182. 	size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;

  183. 	uint8_t data[max_len];

  184. 	int len;

  185. 	int rc;

  186. 

  187. 	DBGC ( state, "DRBG %p reseed\n", state );

  188. 

  189. 	/* Sanity checks */

  190. 	assert ( state != NULL );

  191. 

  192. 	/* 1.  Using state_handle, obtain the current internal state.

  193. 	 *     If state_handle indicates an invalid or empty internal

  194. 	 *     state, return an ERROR_FLAG.

  195. 	 *

  196. 	 * (Almost nothing to do since the memory holding the internal

  197. 	 * state was passed in by the caller.)

  198. 	 */

  199. 	if ( ! state->valid ) {

  200. 		DBGC ( state, "DRBG %p not valid\n", state );

  201. 		return -EINVAL;

  202. 	}

  203. 

  204. 	/* 2.  If prediction_resistance_request is set, and

  205. 	 *     prediction_resistance_flag is not set, then return an

  206. 	 *     ERROR_FLAG.

  207. 	 *

  208. 	 * (Nothing to do since prediction resistance is always

  209. 	 * supported.)

  210. 	 */

  211. 

  212. 	/* 3.  If the length of the additional_input >

  213. 	 *     max_additional_input_length, return an ERROR_FLAG.

  214. 	 */

  215. 	if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {

  216. 		DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",

  217. 		       state, additional_len );

  218. 		return -ERANGE;

  219. 	}

  220. 

  221. 	/* 4.  ( status, entropy_input ) = Get_entropy_input (

  222. 	 *     security_strength, min_length, max_length,

  223. 	 *     prediction_resistance_request ).

  224. 	 *

  225. 	 * 5.  If an ERROR is returned in step 4, return a

  226. 	 *     CATASTROPHIC_ERROR_FLAG.

  227. 	 */

  228. 	len = get_entropy_input ( entropy_bits, data, min_len,

  229. 				  sizeof ( data ) );

  230. 	if ( len < 0 ) {

  231. 		rc = len;

  232. 		DBGC ( state, "DRBG %p could not get entropy input: %s\n",

  233. 		       state, strerror ( rc ) );

  234. 		return rc;

  235. 	}

  236. 

  237. 	/* 6.  new_working_state = Reseed_algorithm ( working_state,

  238. 	 *     entropy_input, additional_input ).

  239. 	 */

  240. 	drbg_reseed_algorithm ( state, data, len, additional, additional_len );

  241. 

  242. 	/* 7.  Replace the working_state in the internal state

  243. 	 *     indicated by state_handle with the values of

  244. 	 *     new_working_state obtained in step 6.

  245. 	 *

  246. 	 * (Nothing to do since the state has already been updated in-situ.)

  247. 	 */

  248. 

  249. 	/* 8.  Return SUCCESS. */

  250. 	return 0;

  251. }

  252. 

  253. /**

  254.  * Generate pseudorandom bits using DRBG

  255.  *

  256.  * @v state		Algorithm state

  257.  * @v additional	Additional input

  258.  * @v additional_len	Length of additional input

  259.  * @v prediction_resist	Prediction resistance is required

  260.  * @v data		Output buffer

  261.  * @v len		Length of output buffer

  262.  * @ret rc		Return status code

  263.  *

  264.  * This is the Generate_function defined in ANS X9.82 Part 3-2007

  265.  * Section 9.4 (NIST SP 800-90 Section 9.3).

  266.  *

  267.  * Requests must be for an integral number of bytes.  Only a single

  268.  * security strength is supported.  Prediction resistance is supported

  269.  * if requested.

  270.  */

  271. int drbg_generate ( struct drbg_state *state, const void *additional,

  272. 		    size_t additional_len, int prediction_resist,

  273. 		    void *data, size_t len ) {

  274. 	int rc;

  275. 

  276. 	DBGC ( state, "DRBG %p generate\n", state );

  277. 

  278. 	/* Sanity checks */

  279. 	assert ( state != NULL );

  280. 	assert ( data != NULL );

  281. 

  282. 	/* 1.  Using state_handle, obtain the current internal state

  283. 	 *     for the instantiation.  If state_handle indicates an

  284. 	 *     invalid or empty internal state, then return an ERROR_FLAG.

  285. 	 *

  286. 	 * (Almost nothing to do since the memory holding the internal

  287. 	 * state was passed in by the caller.)

  288. 	 */

  289. 	if ( ! state->valid ) {

  290. 		DBGC ( state, "DRBG %p not valid\n", state );

  291. 		return -EINVAL;

  292. 	}

  293. 

  294. 	/* 2.  If requested_number_of_bits >

  295. 	 *     max_number_of_bits_per_request, then return an

  296. 	 *     ERROR_FLAG.

  297. 	 */

  298. 	if ( len > DRBG_MAX_GENERATED_LEN_BYTES ) {

  299. 		DBGC ( state, "DRBG %p request too long (%zd bytes)\n",

  300. 		       state, len );

  301. 		return -ERANGE;

  302. 	}

  303. 

  304. 	/* 3.  If requested_security_strength > the security_strength

  305. 	 *     indicated in the internal state, then return an

  306. 	 *     ERROR_FLAG.

  307. 	 *

  308. 	 * (Nothing to do since only a single security strength is

  309. 	 * supported.)

  310. 	 */

  311. 

  312. 	/* 4.  If the length of the additional_input >

  313. 	 *     max_additional_input_length, then return an ERROR_FLAG.

  314. 	 */

  315. 	if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {

  316. 		DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",

  317. 		       state, additional_len );

  318. 		return -ERANGE;

  319. 	}

  320. 

  321. 	/* 5.  If prediction_resistance_request is set, and

  322. 	 *     prediction_resistance_flag is not set, then return an

  323. 	 *     ERROR_FLAG.

  324. 	 *

  325. 	 * (Nothing to do since prediction resistance is always

  326. 	 * supported.)

  327. 	 */

  328. 

  329. 	/* 6.  Clear the reseed_required_flag. */

  330. 	state->reseed_required = 0;

  331. 

  332.  step_7:

  333. 	/* 7.  If reseed_required_flag is set, or if

  334. 	 *     prediction_resistance_request is set, then

  335. 	 */

  336. 	if ( state->reseed_required || prediction_resist ) {

  337. 

  338. 		/* 7.1  status = Reseed_function ( state_handle,

  339. 		 *      prediction_resistance_request,

  340. 		 *      additional_input )

  341. 		 * 7.2  If status indicates an ERROR, then return

  342. 		 *      status.

  343. 		 */

  344. 		if ( ( rc = drbg_reseed ( state, additional,

  345. 					  additional_len ) ) != 0 ) {

  346. 			DBGC ( state, "DRBG %p could not reseed: %s\n",

  347. 			       state, strerror ( rc ) );

  348. 			return rc;

  349. 		}

  350. 

  351. 		/* 7.3  Using state_handle, obtain the new internal

  352. 		 *      state.

  353. 		 *

  354. 		 * (Nothing to do since the internal state has been

  355. 		 * updated in-situ.)

  356. 		 */

  357. 

  358. 		/* 7.4  additional_input = the Null string. */

  359. 		additional = NULL;

  360. 		additional_len = 0;

  361. 

  362. 		/* 7.5  Clear the reseed_required_flag. */

  363. 		state->reseed_required = 0;

  364. 	}

  365. 

  366. 	/* 8.  ( status, pseudorandom_bits, new_working_state ) =

  367. 	 *     Generate_algorithm ( working_state,

  368. 	 *     requested_number_of_bits, additional_input ).

  369. 	 */

  370. 	rc = drbg_generate_algorithm ( state, additional, additional_len,

  371. 				       data, len );

  372. 

  373. 	/* 9.  If status indicates that a reseed is required before

  374. 	 *     the requested bits can be generated, then

  375. 	 */

  376. 	if ( rc != 0 ) {

  377. 

  378. 		/* 9.1  Set the reseed_required_flag. */

  379. 		state->reseed_required = 1;

  380. 

  381. 		/* 9.2  If the prediction_resistance_flag is set, then

  382. 		 *      set the prediction_resistance_request

  383. 		 *      indication.

  384. 		 */

  385. 		prediction_resist = 1;

  386. 

  387. 		/* 9.3  Go to step 7. */

  388. 		goto step_7;

  389. 	}

  390. 

  391. 	/* 10.  Replace the old working_state in the internal state

  392. 	 *      indicated by state_handle with the values of

  393. 	 *      new_working_state.

  394. 	 *

  395. 	 * (Nothing to do since the working state has already been

  396. 	 * updated in-situ.)

  397. 	 */

  398. 

  399. 	/* 11.  Return SUCCESS and pseudorandom_bits. */

  400. 	return 0;

  401. }

  402. 

  403. /**

  404.  * Uninstantiate DRBG

  405.  *

  406.  * @v state		Algorithm state

  407.  *

  408.  * This is the Uninstantiate_function defined in ANS X9.82 Part 3-2007

  409.  * Section 9.5 (NIST SP 800-90 Section 9.4).

  410.  */

  411. void drbg_uninstantiate ( struct drbg_state *state ) {

  412. 

  413. 	DBGC ( state, "DRBG %p uninstantiate\n", state );

  414. 

  415. 	/* Sanity checks */

  416. 	assert ( state != NULL );

  417. 

  418. 	/* 1.  If state_handle indicates an invalid state, then return

  419. 	 *     an ERROR_FLAG.

  420. 	 *

  421. 	 * (Nothing to do since the memory holding the internal state

  422. 	 * was passed in by the caller.)

  423. 	 */

  424. 

  425. 	/* 2.  Erase the contents of the internal state indicated by

  426. 	 *     state_handle.

  427. 	 */

  428. 	memset ( state, 0, sizeof ( *state ) );

  429. 

  430. 	/* 3.  Return SUCCESS. */

  431. }