iPXE
Data Structures | Defines | Functions
hmac_drbg.h File Reference

HMAC_DRBG algorithm. More...

#include <stdint.h>
#include <ipxe/crypto.h>

Go to the source code of this file.

Data Structures

struct  hmac_drbg_state
 HMAC_DRBG internal state. More...

Defines

#define HMAC_DRBG(hash, max_security_strength, out_len_bits)   ( hash, max_security_strength, out_len_bits )
 Declare an HMAC_DRBG algorithm.
#define HMAC_DRBG_SHA1   HMAC_DRBG ( &sha1_algorithm, 128, 160 )
 HMAC_DRBG using SHA-1.
#define HMAC_DRBG_SHA224   HMAC_DRBG ( &sha224_algorithm, 192, 224 )
 HMAC_DRBG using SHA-224.
#define HMAC_DRBG_SHA256   HMAC_DRBG ( &sha256_algorithm, 256, 256 )
 HMAC_DRBG using SHA-256.
#define HMAC_DRBG_SHA384   HMAC_DRBG ( &sha384_algorithm, 256, 384 )
 HMAC_DRBG using SHA-384.
#define HMAC_DRBG_SHA512   HMAC_DRBG ( &sha512_algorithm, 256, 512 )
 HMAC_DRBG using SHA-512.
#define HMAC_DRBG_HASH(hmac_drbg)   HMAC_DRBG_EXTRACT_HASH hmac_drbg
 Underlying hash algorithm.
#define HMAC_DRBG_EXTRACT_HASH(hash, max_security_strength, out_len_bits)   hash
#define HMAC_DRBG_MAX_SECURITY_STRENGTH(hmac_drbg)   HMAC_DRBG_EXTRACT_MAX_SECURITY_STRENGTH hmac_drbg
 Maximum security strength.
#define HMAC_DRBG_EXTRACT_MAX_SECURITY_STRENGTH(hash, max_security_strength, out_len_bits)   max_security_strength
#define HMAC_DRBG_OUTLEN_BITS(hmac_drbg)   HMAC_DRBG_EXTRACT_OUTLEN_BITS hmac_drbg
 Output block length, in bits.
#define HMAC_DRBG_EXTRACT_OUTLEN_BITS(hash, max_security_strength, out_len_bits)   out_len_bits
#define HMAC_DRBG_OUTLEN_BYTES(hmac_drbg)   ( HMAC_DRBG_OUTLEN_BITS ( hmac_drbg ) / 8 )
 Output block length, in bytes.
#define HMAC_DRBG_MAX_OUTLEN_BYTES   HMAC_DRBG_OUTLEN_BYTES ( HMAC_DRBG_SHA512 )
 Maximum output block length, in bytes.
#define HMAC_DRBG_MIN_ENTROPY(security_strength)   (security_strength)
 Required minimum entropy for instantiate and reseed.
#define HMAC_DRBG_MIN_ENTROPY_LEN_BYTES(security_strength)   ( (security_strength) / 8 )
 Minimum entropy input length.
#define HMAC_DRBG_MAX_ENTROPY_LEN_BYTES   32
 Maximum entropy input length.
#define HMAC_DRBG_MAX_PERSONAL_LEN_BYTES   0xffffffffUL
 Maximum personalisation string length.
#define HMAC_DRBG_MAX_ADDITIONAL_LEN_BYTES   0xffffffffUL
 Maximum additional input length.
#define HMAC_DRBG_MAX_GENERATED_LEN_BYTES   0x0000ffffUL
 Maximum length of generated pseudorandom data per request.
#define HMAC_DRBG_RESEED_INTERVAL   1024
 Reseed interval.

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
void hmac_drbg_instantiate (struct digest_algorithm *hash, struct hmac_drbg_state *state, const void *entropy, size_t entropy_len, const void *personal, size_t personal_len)
 Instantiate HMAC_DRBG.
void hmac_drbg_reseed (struct digest_algorithm *hash, struct hmac_drbg_state *state, const void *entropy, size_t entropy_len, const void *additional, size_t additional_len)
 Reseed HMAC_DRBG.
int hmac_drbg_generate (struct digest_algorithm *hash, struct hmac_drbg_state *state, const void *additional, size_t additional_len, void *data, size_t len)
 Generate pseudorandom bits using HMAC_DRBG.

Detailed Description

HMAC_DRBG algorithm.

Definition in file hmac_drbg.h.


Define Documentation

#define HMAC_DRBG (   hash,
  max_security_strength,
  out_len_bits 
)    ( hash, max_security_strength, out_len_bits )

Declare an HMAC_DRBG algorithm.

Parameters:
hashUnderlying hash algorithm
max_security_strengthMaxmimum security strength
out_len_bitsOutput block length, in bits
Return values:
hmac_drbgHMAC_DRBG algorithm

Definition at line 22 of file hmac_drbg.h.

#define HMAC_DRBG_SHA1   HMAC_DRBG ( &sha1_algorithm, 128, 160 )

HMAC_DRBG using SHA-1.

The maximum security strength of HMAC_DRBG using SHA-1 is 128 bits according to the list of maximum security strengths documented in NIST SP 800-57 Part 1 Section 5.6.1 Table 3.

The output block length of HMAC_DRBG using SHA-1 is 160 bits according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP 800-90 Section 10.1 Table 2).

Definition at line 35 of file hmac_drbg.h.

#define HMAC_DRBG_SHA224   HMAC_DRBG ( &sha224_algorithm, 192, 224 )

HMAC_DRBG using SHA-224.

The maximum security strength of HMAC_DRBG using SHA-224 is 192 bits according to the list of maximum security strengths documented in NIST SP 800-57 Part 1 Section 5.6.1 Table 3.

The output block length of HMAC_DRBG using SHA-224 is 224 bits according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP 800-90 Section 10.1 Table 2).

Definition at line 47 of file hmac_drbg.h.

#define HMAC_DRBG_SHA256   HMAC_DRBG ( &sha256_algorithm, 256, 256 )

HMAC_DRBG using SHA-256.

The maximum security strength of HMAC_DRBG using SHA-256 is 256 bits according to the list of maximum security strengths documented in NIST SP 800-57 Part 1 Section 5.6.1 Table 3.

The output block length of HMAC_DRBG using SHA-256 is 256 bits according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP 800-90 Section 10.1 Table 2).

Definition at line 59 of file hmac_drbg.h.

#define HMAC_DRBG_SHA384   HMAC_DRBG ( &sha384_algorithm, 256, 384 )

HMAC_DRBG using SHA-384.

The maximum security strength of HMAC_DRBG using SHA-384 is 256 bits according to the list of maximum security strengths documented in NIST SP 800-57 Part 1 Section 5.6.1 Table 3.

The output block length of HMAC_DRBG using SHA-384 is 384 bits according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP 800-90 Section 10.1 Table 2).

Definition at line 71 of file hmac_drbg.h.

#define HMAC_DRBG_SHA512   HMAC_DRBG ( &sha512_algorithm, 256, 512 )

HMAC_DRBG using SHA-512.

The maximum security strength of HMAC_DRBG using SHA-512 is 256 bits according to the list of maximum security strengths documented in NIST SP 800-57 Part 1 Section 5.6.1 Table 3.

The output block length of HMAC_DRBG using SHA-512 is 512 bits according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP 800-90 Section 10.1 Table 2).

Definition at line 83 of file hmac_drbg.h.

#define HMAC_DRBG_HASH (   hmac_drbg)    HMAC_DRBG_EXTRACT_HASH hmac_drbg

Underlying hash algorithm.

Parameters:
hmac_drbgHMAC_DRBG algorithm
Return values:
hashUnderlying hash algorithm

Definition at line 90 of file hmac_drbg.h.

Referenced by drbg_generate_algorithm(), drbg_instantiate_algorithm(), and drbg_reseed_algorithm().

#define HMAC_DRBG_EXTRACT_HASH (   hash,
  max_security_strength,
  out_len_bits 
)    hash

Definition at line 92 of file hmac_drbg.h.

Maximum security strength.

Parameters:
hmac_drbgHMAC_DRBG algorithm
Return values:
max_security_strengthMaxmimum security strength

Definition at line 100 of file hmac_drbg.h.

#define HMAC_DRBG_EXTRACT_MAX_SECURITY_STRENGTH (   hash,
  max_security_strength,
  out_len_bits 
)    max_security_strength

Definition at line 102 of file hmac_drbg.h.

#define HMAC_DRBG_OUTLEN_BITS (   hmac_drbg)    HMAC_DRBG_EXTRACT_OUTLEN_BITS hmac_drbg

Output block length, in bits.

Parameters:
hmac_drbgHMAC_DRBG algorithm
Return values:
out_len_bitsOutput block length, in bits

Definition at line 111 of file hmac_drbg.h.

#define HMAC_DRBG_EXTRACT_OUTLEN_BITS (   hash,
  max_security_strength,
  out_len_bits 
)    out_len_bits

Definition at line 113 of file hmac_drbg.h.

#define HMAC_DRBG_OUTLEN_BYTES (   hmac_drbg)    ( HMAC_DRBG_OUTLEN_BITS ( hmac_drbg ) / 8 )

Output block length, in bytes.

Parameters:
hmac_drbgHMAC_DRBG algorithm
Return values:
out_len_bytesOutput block length, in bytes

Definition at line 122 of file hmac_drbg.h.

Maximum output block length, in bytes.

The maximum output block length for HMAC_DRBG is 512 bits for SHA-512 according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP 800-90 Section 10.1 Table 2).

Definition at line 131 of file hmac_drbg.h.

#define HMAC_DRBG_MIN_ENTROPY (   security_strength)    (security_strength)

Required minimum entropy for instantiate and reseed.

Parameters:
security_strengthSecurity strength
Return values:
min_entropyRequired minimum entropy

The minimum required entropy for HMAC_DRBG is equal to the security strength according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP 800-90 Section 10.1 Table 2).

Definition at line 142 of file hmac_drbg.h.

#define HMAC_DRBG_MIN_ENTROPY_LEN_BYTES (   security_strength)    ( (security_strength) / 8 )

Minimum entropy input length.

Parameters:
security_strengthSecurity strength
Return values:
min_entropy_len_bytesRequired minimum entropy length (in bytes)

The minimum entropy input length for HMAC_DRBG is equal to the security strength according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP 800-90 Section 10.1 Table 2).

Definition at line 153 of file hmac_drbg.h.

Maximum entropy input length.

The maximum entropy input length for HMAC_DRBG is 2^35 bits according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP 800-90 Section 10.1 Table 2).

We choose to allow up to 32 bytes.

Definition at line 164 of file hmac_drbg.h.

#define HMAC_DRBG_MAX_PERSONAL_LEN_BYTES   0xffffffffUL

Maximum personalisation string length.

The maximum permitted personalisation string length for HMAC_DRBG is 2^35 bits according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 1 (NIST SP 800-90 Section 10.1 Table 2).

We choose to allow up to 2^32-1 bytes (i.e. 2^35-8 bits).

Definition at line 174 of file hmac_drbg.h.

#define HMAC_DRBG_MAX_ADDITIONAL_LEN_BYTES   0xffffffffUL

Maximum additional input length.

The maximum permitted additional input length for HMAC_DRBG is 2^35 bits according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 1 (NIST SP 800-90 Section 10.1 Table 2).

We choose to allow up to 2^32-1 bytes (i.e. 2^35-8 bits).

Definition at line 184 of file hmac_drbg.h.

#define HMAC_DRBG_MAX_GENERATED_LEN_BYTES   0x0000ffffUL

Maximum length of generated pseudorandom data per request.

The maximum number of bits per request for HMAC_DRBG is 2^19 bits according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 1 (NIST SP 800-90 Section 10.1 Table 2).

We choose to allow up to 2^16-1 bytes (i.e. 2^19-8 bits).

Definition at line 194 of file hmac_drbg.h.

#define HMAC_DRBG_RESEED_INTERVAL   1024

Reseed interval.

The maximum permitted reseed interval for HMAC_DRBG is 2^48 according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP 800-90 Section 10.1 Table 2). However, the sample implementation given in ANS X9.82 Part 3-2007 Annex E.2.1 (NIST SP 800-90 Appendix F.2) shows a reseed interval of 10000.

We choose a very conservative reseed interval.

Definition at line 206 of file hmac_drbg.h.

Referenced by force_reseed_required(), and hmac_drbg_generate().


Function Documentation

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL  )
void hmac_drbg_instantiate ( struct digest_algorithm hash,
struct hmac_drbg_state state,
const void *  entropy,
size_t  entropy_len,
const void *  personal,
size_t  personal_len 
)

Instantiate HMAC_DRBG.

Parameters:
hashUnderlying hash algorithm
stateHMAC_DRBG internal state to be initialised
entropyEntropy input
entropy_lenLength of entropy input
personalPersonalisation string
personal_lenLength of personalisation string

This is the HMAC_DRBG_Instantiate_algorithm function defined in ANS X9.82 Part 3-2007 Section 10.2.2.2.3 (NIST SP 800-90 Section 10.1.2.3).

The nonce must be included within the entropy input (i.e. the entropy input must contain at least 3/2 * security_strength bits of entropy, as per ANS X9.82 Part 3-2007 Section 8.4.2 (NIST SP 800-90 Section 8.6.7).

The key, value and reseed counter are updated in-place within the HMAC_DRBG internal state.

Definition at line 210 of file hmac_drbg.c.

References assert, DBGC, digest_algorithm::digestsize, hmac_drbg_reseed(), hmac_drbg_state::key, memset(), digest_algorithm::name, NULL, and hmac_drbg_state::value.

Referenced by drbg_instantiate_algorithm().

                                                                        {
        size_t out_len = hash->digestsize;

        DBGC ( state, "HMAC_DRBG_%s %p instantiate\n", hash->name, state );

        /* Sanity checks */
        assert ( hash != NULL );
        assert ( state != NULL );
        assert ( entropy != NULL );
        assert ( ( personal != NULL ) || ( personal_len == 0 ) );

        /* 1.  seed_material = entropy_input || nonce ||
         *     personalisation_string
         */

        /* 2.  Key = 0x00 00..00 */
        memset ( state->key, 0x00, out_len );

        /* 3.  V = 0x01 01...01 */
        memset ( state->value, 0x01, out_len );

        /* 4.  ( Key, V ) = HMAC_DBRG_Update ( seed_material, Key, V )
         * 5.  reseed_counter = 1
         * 6.  Return V, Key and reseed_counter as the
         *     initial_working_state
         */
        hmac_drbg_reseed ( hash, state, entropy, entropy_len,
                           personal, personal_len );
}
void hmac_drbg_reseed ( struct digest_algorithm hash,
struct hmac_drbg_state state,
const void *  entropy,
size_t  entropy_len,
const void *  additional,
size_t  additional_len 
)

Reseed HMAC_DRBG.

Parameters:
hashUnderlying hash algorithm
stateHMAC_DRBG internal state
entropyEntropy input
entropy_lenLength of entropy input
additionalAdditional input
additional_lenLength of additional input

This is the HMAC_DRBG_Reseed_algorithm function defined in ANS X9.82 Part 3-2007 Section 10.2.2.2.4 (NIST SP 800-90 Section 10.1.2.4).

The key, value and reseed counter are updated in-place within the HMAC_DRBG internal state.

Definition at line 259 of file hmac_drbg.c.

References assert, DBGC, DBGC_HDA, hmac_drbg_update(), memcpy(), digest_algorithm::name, NULL, and hmac_drbg_state::reseed_counter.

Referenced by drbg_reseed_algorithm(), and hmac_drbg_instantiate().

                                                                        {
        uint8_t seed_material[ entropy_len + additional_len ];

        DBGC ( state, "HMAC_DRBG_%s %p (re)seed\n", hash->name, state );

        /* Sanity checks */
        assert ( hash != NULL );
        assert ( state != NULL );
        assert ( entropy != NULL );
        assert ( ( additional != NULL ) || ( additional_len == 0 ) );

        /* 1.  seed_material = entropy_input || additional_input */
        memcpy ( seed_material, entropy, entropy_len );
        memcpy ( ( seed_material + entropy_len ), additional, additional_len );
        DBGC ( state, "HMAC_DRBG_%s %p seed material :\n", hash->name, state );
        DBGC_HDA ( state, 0, seed_material, sizeof ( seed_material ) );

        /* 2.  ( Key, V ) = HMAC_DBRG_Update ( seed_material, Key, V ) */
        hmac_drbg_update ( hash, state, seed_material,
                           sizeof ( seed_material ) );

        /* 3.  reseed_counter = 1 */
        state->reseed_counter = 1;

        /* 4.  Return V, Key and reseed_counter as the new_working_state */
}
int hmac_drbg_generate ( struct digest_algorithm hash,
struct hmac_drbg_state state,
const void *  additional,
size_t  additional_len,
void *  data,
size_t  len 
)

Generate pseudorandom bits using HMAC_DRBG.

Parameters:
hashUnderlying hash algorithm
stateHMAC_DRBG internal state
additionalAdditional input
additional_lenLength of additional input
dataOutput buffer
lenLength of output buffer
Return values:
rcReturn status code

This is the HMAC_DRBG_Generate_algorithm function defined in ANS X9.82 Part 3-2007 Section 10.2.2.2.5 (NIST SP 800-90 Section 10.1.2.5).

Requests must be for an integral number of bytes.

The key, value and reseed counter are updated in-place within the HMAC_DRBG internal state.

Note that the only permitted error is "reseed required".

Definition at line 310 of file hmac_drbg.c.

References assert, data, DBGC, DBGC_HDA, digest_algorithm::digestsize, ESTALE, HMAC_DRBG_RESEED_INTERVAL, hmac_drbg_update(), hmac_drbg_update_value(), len, memcpy(), digest_algorithm::name, NULL, hmac_drbg_state::reseed_counter, and hmac_drbg_state::value.

Referenced by drbg_generate_algorithm().

                                                  {
        size_t out_len = hash->digestsize;
        void *orig_data = data;
        size_t orig_len = len;
        size_t frag_len;

        DBGC ( state, "HMAC_DRBG_%s %p generate\n", hash->name, state );

        /* Sanity checks */
        assert ( hash != NULL );
        assert ( state != NULL );
        assert ( data != NULL );
        assert ( ( additional != NULL ) || ( additional_len == 0 ) );

        /* 1.  If reseed_counter > reseed_interval, then return an
         *     indication that a reseed is required
         */
        if ( state->reseed_counter > HMAC_DRBG_RESEED_INTERVAL ) {
                DBGC ( state, "HMAC_DRBG_%s %p reseed interval exceeded\n",
                       hash->name, state );
                return -ESTALE;
        }

        /* 2.  If additional_input != Null, then
         *     ( Key, V ) = HMAC_DRBG_Update ( additional_input, Key, V )
         */
        if ( additional_len )
                hmac_drbg_update ( hash, state, additional, additional_len );

        /* 3.  temp = Null
         * 4.  While ( len ( temp ) < requested_number_of_bits ) do:
         */
        while ( len ) {

                /* 4.1  V = HMAC ( Key, V ) */
                hmac_drbg_update_value ( hash, state );

                /* 4.2.  temp = temp || V
                 * 5.    returned_bits = Leftmost requested_number_of_bits
                 *       of temp
                 */
                frag_len = len;
                if ( frag_len > out_len )
                        frag_len = out_len;
                memcpy ( data, state->value, frag_len );
                data += frag_len;
                len -= frag_len;
        }

        /* 6.  ( Key, V ) = HMAC_DRBG_Update ( additional_input, Key, V ) */
        hmac_drbg_update ( hash, state, additional, additional_len );

        /* 7.  reseed_counter = reseed_counter + 1 */
        state->reseed_counter++;

        DBGC ( state, "HMAC_DRBG_%s %p generated :\n", hash->name, state );
        DBGC_HDA ( state, 0, orig_data, orig_len );

        /* 8.  Return SUCCESS, returned_bits, and the new values of
         *     Key, V and reseed_counter as the new_working_state
         */
        return 0;
}