444 lines
13 KiB
C
444 lines
13 KiB
C
/*
|
|
* Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation; either version 2 of the
|
|
* License, or any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301, USA.
|
|
*
|
|
* You can also choose to distribute this program under the terms of
|
|
* the Unmodified Binary Distribution Licence (as given in the file
|
|
* COPYING.UBDL), provided that you have satisfied its requirements.
|
|
*
|
|
* Alternatively, you may distribute this code in source or binary
|
|
* form, with or without modification, provided that the following
|
|
* conditions are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the above disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form must reproduce the above
|
|
* copyright notice, this list of conditions and the above
|
|
* disclaimer in the documentation and/or other materials provided
|
|
* with the distribution.
|
|
*/
|
|
|
|
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
|
|
|
/** @file
|
|
*
|
|
* DRBG mechanism
|
|
*
|
|
* This mechanism is designed to comply with ANS X9.82 Part 3-2007
|
|
* Section 9. This standard is not freely available, but most of the
|
|
* text appears to be shared with NIST SP 800-90, which can be
|
|
* downloaded from
|
|
*
|
|
* http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
|
|
*
|
|
* Where possible, references are given to both documents. In the
|
|
* case of any disagreement, ANS X9.82 takes priority over NIST SP
|
|
* 800-90. (In particular, note that some algorithms that are
|
|
* Approved by NIST SP 800-90 are not Approved by ANS X9.82.)
|
|
*/
|
|
|
|
#include <stdint.h>
|
|
#include <string.h>
|
|
#include <errno.h>
|
|
#include <assert.h>
|
|
#include <ipxe/entropy.h>
|
|
#include <ipxe/drbg.h>
|
|
|
|
/**
|
|
* Instantiate DRBG
|
|
*
|
|
* @v state Algorithm state to be initialised
|
|
* @v personal Personalisation string
|
|
* @v personal_len Length of personalisation string
|
|
* @ret rc Return status code
|
|
*
|
|
* This is the Instantiate_function defined in ANS X9.82 Part 3-2007
|
|
* Section 9.2 (NIST SP 800-90 Section 9.1).
|
|
*
|
|
* Only a single security strength is supported, and prediction
|
|
* resistance is always enabled. The nonce is accounted for by
|
|
* increasing the entropy input, as per ANS X9.82 Part 3-2007 Section
|
|
* 8.4.2 (NIST SP 800-90 Section 8.6.7).
|
|
*/
|
|
int drbg_instantiate ( struct drbg_state *state, const void *personal,
|
|
size_t personal_len ) {
|
|
unsigned int entropy_bits = ( ( 3 * DRBG_SECURITY_STRENGTH + 1 ) / 2 );
|
|
size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;
|
|
size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;
|
|
uint8_t data[max_len];
|
|
int len;
|
|
int rc;
|
|
|
|
DBGC ( state, "DRBG %p instantiate\n", state );
|
|
|
|
/* Sanity checks */
|
|
assert ( state != NULL );
|
|
|
|
/* 1. If requested_instantiation_security_strength >
|
|
* highest_supported_security_strength, then return an
|
|
* ERROR_FLAG
|
|
*/
|
|
if ( DRBG_SECURITY_STRENGTH > DRBG_MAX_SECURITY_STRENGTH ) {
|
|
DBGC ( state, "DRBG %p cannot support security strength %d\n",
|
|
state, DRBG_SECURITY_STRENGTH );
|
|
return -ENOTSUP;
|
|
}
|
|
|
|
/* 2. If prediction_resistance_flag is set, and prediction
|
|
* resistance is not supported, then return an ERROR_FLAG
|
|
*
|
|
* (Nothing to do since prediction resistance is always
|
|
* supported.)
|
|
*/
|
|
|
|
/* 3. If the length of the personalization_string >
|
|
* max_personalization_string_length, return an ERROR_FLAG
|
|
*/
|
|
if ( personal_len > DRBG_MAX_PERSONAL_LEN_BYTES ) {
|
|
DBGC ( state, "DRBG %p personalisation string too long (%zd "
|
|
"bytes)\n", state, personal_len );
|
|
return -ERANGE;
|
|
}
|
|
|
|
/* 4. Set security_strength to the nearest security strength
|
|
* greater than or equal to
|
|
* requested_instantiation_security_strength.
|
|
*
|
|
* (Nothing to do since we support only a single security
|
|
* strength.)
|
|
*/
|
|
|
|
/* 5. Using the security_strength, select appropriate DRBG
|
|
* mechanism parameters.
|
|
*
|
|
* (Nothing to do since we support only a single security
|
|
* strength.)
|
|
*/
|
|
|
|
/* 6. ( status, entropy_input ) = Get_entropy_input (
|
|
* security_strength, min_length, max_length,
|
|
* prediction_resistance_request )
|
|
* 7. If an ERROR is returned in step 6, return a
|
|
* CATASTROPHIC_ERROR_FLAG.
|
|
* 8. Obtain a nonce.
|
|
*/
|
|
len = get_entropy_input ( entropy_bits, data, min_len,
|
|
sizeof ( data ) );
|
|
if ( len < 0 ) {
|
|
rc = len;
|
|
DBGC ( state, "DRBG %p could not get entropy input: %s\n",
|
|
state, strerror ( rc ) );
|
|
return rc;
|
|
}
|
|
assert ( len >= ( int ) min_len );
|
|
assert ( len <= ( int ) sizeof ( data ) );
|
|
|
|
/* 9. initial_working_state = Instantiate_algorithm (
|
|
* entropy_input, nonce, personalization_string ).
|
|
*/
|
|
drbg_instantiate_algorithm ( state, data, len, personal, personal_len );
|
|
|
|
/* 10. Get a state_handle for a currently empty state. If an
|
|
* empty internal state cannot be found, return an
|
|
* ERROR_FLAG.
|
|
* 11. Set the internal state indicated by state_handle to
|
|
* the initial values for the internal state (i.e. set
|
|
* the working_state to the values returned as
|
|
* initial_working_state in step 9 and any other values
|
|
* required for the working_state, and set the
|
|
* administrative information to the appropriate values.
|
|
*
|
|
* (Almost nothing to do since the memory to hold the state
|
|
* was passed in by the caller and has already been updated
|
|
* in-situ.)
|
|
*/
|
|
state->reseed_required = 0;
|
|
state->valid = 1;
|
|
|
|
/* 12. Return SUCCESS and state_handle. */
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* Reseed DRBG
|
|
*
|
|
* @v state Algorithm state
|
|
* @v additional Additional input
|
|
* @v additional_len Length of additional input
|
|
* @ret rc Return status code
|
|
*
|
|
* This is the Reseed_function defined in ANS X9.82 Part 3-2007
|
|
* Section 9.3 (NIST SP 800-90 Section 9.2).
|
|
*
|
|
* Prediction resistance is always enabled.
|
|
*/
|
|
int drbg_reseed ( struct drbg_state *state, const void *additional,
|
|
size_t additional_len ) {
|
|
unsigned int entropy_bits = DRBG_SECURITY_STRENGTH;
|
|
size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;
|
|
size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;
|
|
uint8_t data[max_len];
|
|
int len;
|
|
int rc;
|
|
|
|
DBGC ( state, "DRBG %p reseed\n", state );
|
|
|
|
/* Sanity checks */
|
|
assert ( state != NULL );
|
|
|
|
/* 1. Using state_handle, obtain the current internal state.
|
|
* If state_handle indicates an invalid or empty internal
|
|
* state, return an ERROR_FLAG.
|
|
*
|
|
* (Almost nothing to do since the memory holding the internal
|
|
* state was passed in by the caller.)
|
|
*/
|
|
if ( ! state->valid ) {
|
|
DBGC ( state, "DRBG %p not valid\n", state );
|
|
return -EINVAL;
|
|
}
|
|
|
|
/* 2. If prediction_resistance_request is set, and
|
|
* prediction_resistance_flag is not set, then return an
|
|
* ERROR_FLAG.
|
|
*
|
|
* (Nothing to do since prediction resistance is always
|
|
* supported.)
|
|
*/
|
|
|
|
/* 3. If the length of the additional_input >
|
|
* max_additional_input_length, return an ERROR_FLAG.
|
|
*/
|
|
if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {
|
|
DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",
|
|
state, additional_len );
|
|
return -ERANGE;
|
|
}
|
|
|
|
/* 4. ( status, entropy_input ) = Get_entropy_input (
|
|
* security_strength, min_length, max_length,
|
|
* prediction_resistance_request ).
|
|
*
|
|
* 5. If an ERROR is returned in step 4, return a
|
|
* CATASTROPHIC_ERROR_FLAG.
|
|
*/
|
|
len = get_entropy_input ( entropy_bits, data, min_len,
|
|
sizeof ( data ) );
|
|
if ( len < 0 ) {
|
|
rc = len;
|
|
DBGC ( state, "DRBG %p could not get entropy input: %s\n",
|
|
state, strerror ( rc ) );
|
|
return rc;
|
|
}
|
|
|
|
/* 6. new_working_state = Reseed_algorithm ( working_state,
|
|
* entropy_input, additional_input ).
|
|
*/
|
|
drbg_reseed_algorithm ( state, data, len, additional, additional_len );
|
|
|
|
/* 7. Replace the working_state in the internal state
|
|
* indicated by state_handle with the values of
|
|
* new_working_state obtained in step 6.
|
|
*
|
|
* (Nothing to do since the state has already been updated in-situ.)
|
|
*/
|
|
|
|
/* 8. Return SUCCESS. */
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* Generate pseudorandom bits using DRBG
|
|
*
|
|
* @v state Algorithm state
|
|
* @v additional Additional input
|
|
* @v additional_len Length of additional input
|
|
* @v prediction_resist Prediction resistance is required
|
|
* @v data Output buffer
|
|
* @v len Length of output buffer
|
|
* @ret rc Return status code
|
|
*
|
|
* This is the Generate_function defined in ANS X9.82 Part 3-2007
|
|
* Section 9.4 (NIST SP 800-90 Section 9.3).
|
|
*
|
|
* Requests must be for an integral number of bytes. Only a single
|
|
* security strength is supported. Prediction resistance is supported
|
|
* if requested.
|
|
*/
|
|
int drbg_generate ( struct drbg_state *state, const void *additional,
|
|
size_t additional_len, int prediction_resist,
|
|
void *data, size_t len ) {
|
|
int rc;
|
|
|
|
DBGC ( state, "DRBG %p generate\n", state );
|
|
|
|
/* Sanity checks */
|
|
assert ( state != NULL );
|
|
assert ( data != NULL );
|
|
|
|
/* 1. Using state_handle, obtain the current internal state
|
|
* for the instantiation. If state_handle indicates an
|
|
* invalid or empty internal state, then return an ERROR_FLAG.
|
|
*
|
|
* (Almost nothing to do since the memory holding the internal
|
|
* state was passed in by the caller.)
|
|
*/
|
|
if ( ! state->valid ) {
|
|
DBGC ( state, "DRBG %p not valid\n", state );
|
|
return -EINVAL;
|
|
}
|
|
|
|
/* 2. If requested_number_of_bits >
|
|
* max_number_of_bits_per_request, then return an
|
|
* ERROR_FLAG.
|
|
*/
|
|
if ( len > DRBG_MAX_GENERATED_LEN_BYTES ) {
|
|
DBGC ( state, "DRBG %p request too long (%zd bytes)\n",
|
|
state, len );
|
|
return -ERANGE;
|
|
}
|
|
|
|
/* 3. If requested_security_strength > the security_strength
|
|
* indicated in the internal state, then return an
|
|
* ERROR_FLAG.
|
|
*
|
|
* (Nothing to do since only a single security strength is
|
|
* supported.)
|
|
*/
|
|
|
|
/* 4. If the length of the additional_input >
|
|
* max_additional_input_length, then return an ERROR_FLAG.
|
|
*/
|
|
if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {
|
|
DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",
|
|
state, additional_len );
|
|
return -ERANGE;
|
|
}
|
|
|
|
/* 5. If prediction_resistance_request is set, and
|
|
* prediction_resistance_flag is not set, then return an
|
|
* ERROR_FLAG.
|
|
*
|
|
* (Nothing to do since prediction resistance is always
|
|
* supported.)
|
|
*/
|
|
|
|
/* 6. Clear the reseed_required_flag. */
|
|
state->reseed_required = 0;
|
|
|
|
step_7:
|
|
/* 7. If reseed_required_flag is set, or if
|
|
* prediction_resistance_request is set, then
|
|
*/
|
|
if ( state->reseed_required || prediction_resist ) {
|
|
|
|
/* 7.1 status = Reseed_function ( state_handle,
|
|
* prediction_resistance_request,
|
|
* additional_input )
|
|
* 7.2 If status indicates an ERROR, then return
|
|
* status.
|
|
*/
|
|
if ( ( rc = drbg_reseed ( state, additional,
|
|
additional_len ) ) != 0 ) {
|
|
DBGC ( state, "DRBG %p could not reseed: %s\n",
|
|
state, strerror ( rc ) );
|
|
return rc;
|
|
}
|
|
|
|
/* 7.3 Using state_handle, obtain the new internal
|
|
* state.
|
|
*
|
|
* (Nothing to do since the internal state has been
|
|
* updated in-situ.)
|
|
*/
|
|
|
|
/* 7.4 additional_input = the Null string. */
|
|
additional = NULL;
|
|
additional_len = 0;
|
|
|
|
/* 7.5 Clear the reseed_required_flag. */
|
|
state->reseed_required = 0;
|
|
}
|
|
|
|
/* 8. ( status, pseudorandom_bits, new_working_state ) =
|
|
* Generate_algorithm ( working_state,
|
|
* requested_number_of_bits, additional_input ).
|
|
*/
|
|
rc = drbg_generate_algorithm ( state, additional, additional_len,
|
|
data, len );
|
|
|
|
/* 9. If status indicates that a reseed is required before
|
|
* the requested bits can be generated, then
|
|
*/
|
|
if ( rc != 0 ) {
|
|
|
|
/* 9.1 Set the reseed_required_flag. */
|
|
state->reseed_required = 1;
|
|
|
|
/* 9.2 If the prediction_resistance_flag is set, then
|
|
* set the prediction_resistance_request
|
|
* indication.
|
|
*/
|
|
prediction_resist = 1;
|
|
|
|
/* 9.3 Go to step 7. */
|
|
goto step_7;
|
|
}
|
|
|
|
/* 10. Replace the old working_state in the internal state
|
|
* indicated by state_handle with the values of
|
|
* new_working_state.
|
|
*
|
|
* (Nothing to do since the working state has already been
|
|
* updated in-situ.)
|
|
*/
|
|
|
|
/* 11. Return SUCCESS and pseudorandom_bits. */
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* Uninstantiate DRBG
|
|
*
|
|
* @v state Algorithm state
|
|
*
|
|
* This is the Uninstantiate_function defined in ANS X9.82 Part 3-2007
|
|
* Section 9.5 (NIST SP 800-90 Section 9.4).
|
|
*/
|
|
void drbg_uninstantiate ( struct drbg_state *state ) {
|
|
|
|
DBGC ( state, "DRBG %p uninstantiate\n", state );
|
|
|
|
/* Sanity checks */
|
|
assert ( state != NULL );
|
|
|
|
/* 1. If state_handle indicates an invalid state, then return
|
|
* an ERROR_FLAG.
|
|
*
|
|
* (Nothing to do since the memory holding the internal state
|
|
* was passed in by the caller.)
|
|
*/
|
|
|
|
/* 2. Erase the contents of the internal state indicated by
|
|
* state_handle.
|
|
*/
|
|
memset ( state, 0, sizeof ( *state ) );
|
|
|
|
/* 3. Return SUCCESS. */
|
|
}
|