iPXE
hmac_drbg.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License as
6  * published by the Free Software Foundation; either version 2 of the
7  * License, or any later version.
8  *
9  * This program is distributed in the hope that it will be useful, but
10  * WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17  * 02110-1301, USA.
18  *
19  * You can also choose to distribute this program under the terms of
20  * the Unmodified Binary Distribution Licence (as given in the file
21  * COPYING.UBDL), provided that you have satisfied its requirements.
22  *
23  * Alternatively, you may distribute this code in source or binary
24  * form, with or without modification, provided that the following
25  * conditions are met:
26  *
27  * 1. Redistributions of source code must retain the above copyright
28  * notice, this list of conditions and the above disclaimer.
29  *
30  * 2. Redistributions in binary form must reproduce the above
31  * copyright notice, this list of conditions and the above
32  * disclaimer in the documentation and/or other materials provided
33  * with the distribution.
34  */
35 
36 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
37 
38 /** @file
39  *
40  * HMAC_DRBG algorithm
41  *
42  * This algorithm is designed to comply with ANS X9.82 Part 3-2007
43  * Section 10.2.2.2. This standard is not freely available, but most
44  * of the text appears to be shared with NIST SP 800-90, which can be
45  * downloaded from
46  *
47  * http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
48  *
49  * Where possible, references are given to both documents. In the
50  * case of any disagreement, ANS X9.82 takes priority over NIST SP
51  * 800-90. (In particular, note that some algorithms that are
52  * Approved by NIST SP 800-90 are not Approved by ANS X9.82.)
53  */
54 
55 #include <stdint.h>
56 #include <string.h>
57 #include <errno.h>
58 #include <assert.h>
59 #include <ipxe/crypto.h>
60 #include <ipxe/hmac.h>
61 #include <ipxe/hmac_drbg.h>
62 
63 /**
64  * Update the HMAC_DRBG key
65  *
66  * @v hash Underlying hash algorithm
67  * @v state HMAC_DRBG internal state
68  * @v data Provided data
69  * @v len Length of provided data
70  * @v single Single byte used in concatenation
71  *
72  * This function carries out the operation
73  *
74  * K = HMAC ( K, V || single || provided_data )
75  *
76  * as used by hmac_drbg_update()
77  */
78 static void hmac_drbg_update_key ( struct digest_algorithm *hash,
79  struct hmac_drbg_state *state,
80  const void *data, size_t len,
81  const uint8_t single ) {
82  uint8_t context[ hmac_ctxsize ( hash ) ];
83  size_t out_len = hash->digestsize;
84 
85  DBGC ( state, "HMAC_DRBG_%s %p provided data :\n", hash->name, state );
86  DBGC_HDA ( state, 0, data, len );
87 
88  /* Sanity checks */
89  assert ( hash != NULL );
90  assert ( state != NULL );
91  assert ( ( data != NULL ) || ( len == 0 ) );
92  assert ( ( single == 0x00 ) || ( single == 0x01 ) );
93 
94  /* K = HMAC ( K, V || single || provided_data ) */
95  hmac_init ( hash, context, state->key, out_len );
96  hmac_update ( hash, context, state->value, out_len );
97  hmac_update ( hash, context, &single, sizeof ( single ) );
98  hmac_update ( hash, context, data, len );
99  hmac_final ( hash, context, state->key );
100 
101  DBGC ( state, "HMAC_DRBG_%s %p K = HMAC ( K, V || %#02x || "
102  "provided_data ) :\n", hash->name, state, single );
103  DBGC_HDA ( state, 0, state->key, out_len );
104 }
105 
106 /**
107  * Update the HMAC_DRBG value
108  *
109  * @v hash Underlying hash algorithm
110  * @v state HMAC_DRBG internal state
111  * @v data Provided data
112  * @v len Length of provided data
113  * @v single Single byte used in concatenation
114  *
115  * This function carries out the operation
116  *
117  * V = HMAC ( K, V )
118  *
119  * as used by hmac_drbg_update() and hmac_drbg_generate()
120  */
121 static void hmac_drbg_update_value ( struct digest_algorithm *hash,
122  struct hmac_drbg_state *state ) {
123  uint8_t context[ hmac_ctxsize ( hash ) ];
124  size_t out_len = hash->digestsize;
125 
126  /* Sanity checks */
127  assert ( hash != NULL );
128  assert ( state != NULL );
129 
130  /* V = HMAC ( K, V ) */
131  hmac_init ( hash, context, state->key, out_len );
132  hmac_update ( hash, context, state->value, out_len );
133  hmac_final ( hash, context, state->value );
134 
135  DBGC ( state, "HMAC_DRBG_%s %p V = HMAC ( K, V ) :\n",
136  hash->name, state );
137  DBGC_HDA ( state, 0, state->value, out_len );
138 }
139 
140 /**
141  * Update HMAC_DRBG internal state
142  *
143  * @v hash Underlying hash algorithm
144  * @v state HMAC_DRBG internal state
145  * @v data Provided data
146  * @v len Length of provided data
147  *
148  * This is the HMAC_DRBG_Update function defined in ANS X9.82 Part
149  * 3-2007 Section 10.2.2.2.2 (NIST SP 800-90 Section 10.1.2.2).
150  *
151  * The key and value are updated in-place within the HMAC_DRBG
152  * internal state.
153  */
154 static void hmac_drbg_update ( struct digest_algorithm *hash,
155  struct hmac_drbg_state *state,
156  const void *data, size_t len ) {
157 
158  DBGC ( state, "HMAC_DRBG_%s %p update\n", hash->name, state );
159 
160  /* Sanity checks */
161  assert ( hash != NULL );
162  assert ( state != NULL );
163  assert ( ( data != NULL ) || ( len == 0 ) );
164 
165  /* 1. K = HMAC ( K, V || 0x00 || provided_data ) */
166  hmac_drbg_update_key ( hash, state, data, len, 0x00 );
167 
168  /* 2. V = HMAC ( K, V ) */
169  hmac_drbg_update_value ( hash, state );
170 
171  /* 3. If ( provided_data = Null ), then return K and V */
172  if ( ! len )
173  return;
174 
175  /* 4. K = HMAC ( K, V || 0x01 || provided_data ) */
176  hmac_drbg_update_key ( hash, state, data, len, 0x01 );
177 
178  /* 5. V = HMAC ( K, V ) */
179  hmac_drbg_update_value ( hash, state );
180 
181  /* 6. Return K and V */
182 }
183 
184 /**
185  * Instantiate HMAC_DRBG
186  *
187  * @v hash Underlying hash algorithm
188  * @v state HMAC_DRBG internal state to be initialised
189  * @v entropy Entropy input
190  * @v entropy_len Length of entropy input
191  * @v personal Personalisation string
192  * @v personal_len Length of personalisation string
193  *
194  * This is the HMAC_DRBG_Instantiate_algorithm function defined in ANS
195  * X9.82 Part 3-2007 Section 10.2.2.2.3 (NIST SP 800-90 Section
196  * 10.1.2.3).
197  *
198  * The nonce must be included within the entropy input (i.e. the
199  * entropy input must contain at least 3/2 * security_strength bits of
200  * entropy, as per ANS X9.82 Part 3-2007 Section 8.4.2 (NIST SP 800-90
201  * Section 8.6.7).
202  *
203  * The key, value and reseed counter are updated in-place within the
204  * HMAC_DRBG internal state.
205  */
206 void hmac_drbg_instantiate ( struct digest_algorithm *hash,
207  struct hmac_drbg_state *state,
208  const void *entropy, size_t entropy_len,
209  const void *personal, size_t personal_len ){
210  size_t out_len = hash->digestsize;
211 
212  DBGC ( state, "HMAC_DRBG_%s %p instantiate\n", hash->name, state );
213 
214  /* Sanity checks */
215  assert ( hash != NULL );
216  assert ( state != NULL );
217  assert ( entropy != NULL );
218  assert ( ( personal != NULL ) || ( personal_len == 0 ) );
219 
220  /* 1. seed_material = entropy_input || nonce ||
221  * personalisation_string
222  */
223 
224  /* 2. Key = 0x00 00..00 */
225  memset ( state->key, 0x00, out_len );
226 
227  /* 3. V = 0x01 01...01 */
228  memset ( state->value, 0x01, out_len );
229 
230  /* 4. ( Key, V ) = HMAC_DBRG_Update ( seed_material, Key, V )
231  * 5. reseed_counter = 1
232  * 6. Return V, Key and reseed_counter as the
233  * initial_working_state
234  */
235  hmac_drbg_reseed ( hash, state, entropy, entropy_len,
236  personal, personal_len );
237 }
238 
239 /**
240  * Reseed HMAC_DRBG
241  *
242  * @v hash Underlying hash algorithm
243  * @v state HMAC_DRBG internal state
244  * @v entropy Entropy input
245  * @v entropy_len Length of entropy input
246  * @v additional Additional input
247  * @v additional_len Length of additional input
248  *
249  * This is the HMAC_DRBG_Reseed_algorithm function defined in ANS X9.82
250  * Part 3-2007 Section 10.2.2.2.4 (NIST SP 800-90 Section 10.1.2.4).
251  *
252  * The key, value and reseed counter are updated in-place within the
253  * HMAC_DRBG internal state.
254  */
255 void hmac_drbg_reseed ( struct digest_algorithm *hash,
256  struct hmac_drbg_state *state,
257  const void *entropy, size_t entropy_len,
258  const void *additional, size_t additional_len ) {
259  uint8_t seed_material[ entropy_len + additional_len ];
260 
261  DBGC ( state, "HMAC_DRBG_%s %p (re)seed\n", hash->name, state );
262 
263  /* Sanity checks */
264  assert ( hash != NULL );
265  assert ( state != NULL );
266  assert ( entropy != NULL );
267  assert ( ( additional != NULL ) || ( additional_len == 0 ) );
268 
269  /* 1. seed_material = entropy_input || additional_input */
270  memcpy ( seed_material, entropy, entropy_len );
271  memcpy ( ( seed_material + entropy_len ), additional, additional_len );
272  DBGC ( state, "HMAC_DRBG_%s %p seed material :\n", hash->name, state );
273  DBGC_HDA ( state, 0, seed_material, sizeof ( seed_material ) );
274 
275  /* 2. ( Key, V ) = HMAC_DBRG_Update ( seed_material, Key, V ) */
276  hmac_drbg_update ( hash, state, seed_material,
277  sizeof ( seed_material ) );
278 
279  /* 3. reseed_counter = 1 */
280  state->reseed_counter = 1;
281 
282  /* 4. Return V, Key and reseed_counter as the new_working_state */
283 }
284 
285 /**
286  * Generate pseudorandom bits using HMAC_DRBG
287  *
288  * @v hash Underlying hash algorithm
289  * @v state HMAC_DRBG internal state
290  * @v additional Additional input
291  * @v additional_len Length of additional input
292  * @v data Output buffer
293  * @v len Length of output buffer
294  * @ret rc Return status code
295  *
296  * This is the HMAC_DRBG_Generate_algorithm function defined in ANS X9.82
297  * Part 3-2007 Section 10.2.2.2.5 (NIST SP 800-90 Section 10.1.2.5).
298  *
299  * Requests must be for an integral number of bytes.
300  *
301  * The key, value and reseed counter are updated in-place within the
302  * HMAC_DRBG internal state.
303  *
304  * Note that the only permitted error is "reseed required".
305  */
306 int hmac_drbg_generate ( struct digest_algorithm *hash,
307  struct hmac_drbg_state *state,
308  const void *additional, size_t additional_len,
309  void *data, size_t len ) {
310  size_t out_len = hash->digestsize;
311  void *orig_data = data;
312  size_t orig_len = len;
313  size_t frag_len;
314 
315  DBGC ( state, "HMAC_DRBG_%s %p generate\n", hash->name, state );
316 
317  /* Sanity checks */
318  assert ( hash != NULL );
319  assert ( state != NULL );
320  assert ( data != NULL );
321  assert ( ( additional != NULL ) || ( additional_len == 0 ) );
322 
323  /* 1. If reseed_counter > reseed_interval, then return an
324  * indication that a reseed is required
325  */
326  if ( state->reseed_counter > HMAC_DRBG_RESEED_INTERVAL ) {
327  DBGC ( state, "HMAC_DRBG_%s %p reseed interval exceeded\n",
328  hash->name, state );
329  return -ESTALE;
330  }
331 
332  /* 2. If additional_input != Null, then
333  * ( Key, V ) = HMAC_DRBG_Update ( additional_input, Key, V )
334  */
335  if ( additional_len )
336  hmac_drbg_update ( hash, state, additional, additional_len );
337 
338  /* 3. temp = Null
339  * 4. While ( len ( temp ) < requested_number_of_bits ) do:
340  */
341  while ( len ) {
342 
343  /* 4.1 V = HMAC ( Key, V ) */
344  hmac_drbg_update_value ( hash, state );
345 
346  /* 4.2. temp = temp || V
347  * 5. returned_bits = Leftmost requested_number_of_bits
348  * of temp
349  */
350  frag_len = len;
351  if ( frag_len > out_len )
352  frag_len = out_len;
353  memcpy ( data, state->value, frag_len );
354  data += frag_len;
355  len -= frag_len;
356  }
357 
358  /* 6. ( Key, V ) = HMAC_DRBG_Update ( additional_input, Key, V ) */
359  hmac_drbg_update ( hash, state, additional, additional_len );
360 
361  /* 7. reseed_counter = reseed_counter + 1 */
362  state->reseed_counter++;
363 
364  DBGC ( state, "HMAC_DRBG_%s %p generated :\n", hash->name, state );
365  DBGC_HDA ( state, 0, orig_data, orig_len );
366 
367  /* 8. Return SUCCESS, returned_bits, and the new values of
368  * Key, V and reseed_counter as the new_working_state
369  */
370  return 0;
371 }
hmac_drbg_generate
int hmac_drbg_generate(struct digest_algorithm *hash, struct hmac_drbg_state *state, const void *additional, size_t additional_len, void *data, size_t len)
Generate pseudorandom bits using HMAC_DRBG.
Definition: hmac_drbg.c:306
hmac_init
void hmac_init(struct digest_algorithm *digest, void *ctx, const void *key, size_t key_len)
Initialise HMAC.
Definition: hmac.c:57
state
uint8_t state
State.
Definition: eth_slow.h:47
errno.h
Error codes.
hmac_drbg_instantiate
void hmac_drbg_instantiate(struct digest_algorithm *hash, struct hmac_drbg_state *state, const void *entropy, size_t entropy_len, const void *personal, size_t personal_len)
Instantiate HMAC_DRBG.
Definition: hmac_drbg.c:206
DBGC
#define DBGC(...)
Definition: compiler.h:505
hmac_drbg_reseed
void hmac_drbg_reseed(struct digest_algorithm *hash, struct hmac_drbg_state *state, const void *entropy, size_t entropy_len, const void *additional, size_t additional_len)
Reseed HMAC_DRBG.
Definition: hmac_drbg.c:255
crypto.h
Cryptographic API.
hmac_drbg_update_key
static void hmac_drbg_update_key(struct digest_algorithm *hash, struct hmac_drbg_state *state, const void *data, size_t len, const uint8_t single)
Update the HMAC_DRBG key.
Definition: hmac_drbg.c:78
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
assert.h
Assertions.
additional
uint16_t additional
Additional sense code and qualifier.
Definition: scsi.h:28
assert
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
hmac.h
Keyed-Hashing for Message Authentication.
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
hmac_drbg_update_value
static void hmac_drbg_update_value(struct digest_algorithm *hash, struct hmac_drbg_state *state)
Update the HMAC_DRBG value.
Definition: hmac_drbg.c:121
HMAC_DRBG_RESEED_INTERVAL
#define HMAC_DRBG_RESEED_INTERVAL
Reseed interval.
Definition: hmac_drbg.h:206
hmac_update
static void hmac_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Update HMAC.
Definition: hmac.h:42
hash
pseudo_bit_t hash[0x00010]
Hash algorithm.
Definition: arbel.h:13
FILE_LICENCE
FILE_LICENCE(GPL2_OR_LATER_OR_UBDL)
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
hmac_drbg_state
HMAC_DRBG internal state.
Definition: hmac_drbg.h:218
len
uint32_t len
Length.
Definition: ena.h:14
digest_algorithm
A message digest algorithm.
Definition: crypto.h:17
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22
hmac_final
void hmac_final(struct digest_algorithm *digest, void *ctx, void *hmac)
Finalise HMAC.
Definition: hmac.c:87
hmac_drbg_update
static void hmac_drbg_update(struct digest_algorithm *hash, struct hmac_drbg_state *state, const void *data, size_t len)
Update HMAC_DRBG internal state.
Definition: hmac_drbg.c:154
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
string.h
String functions.
ESTALE
#define ESTALE
Stale file handle.
Definition: errno.h:659
memset
void * memset(void *dest, int character, size_t len) __nonnull
hmac_drbg.h
HMAC_DRBG algorithm.
Generated by   doxygen 1.8.15