iPXE
drbg.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License as
6  * published by the Free Software Foundation; either version 2 of the
7  * License, or any later version.
8  *
9  * This program is distributed in the hope that it will be useful, but
10  * WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17  * 02110-1301, USA.
18  *
19  * You can also choose to distribute this program under the terms of
20  * the Unmodified Binary Distribution Licence (as given in the file
21  * COPYING.UBDL), provided that you have satisfied its requirements.
22  *
23  * Alternatively, you may distribute this code in source or binary
24  * form, with or without modification, provided that the following
25  * conditions are met:
26  *
27  * 1. Redistributions of source code must retain the above copyright
28  * notice, this list of conditions and the above disclaimer.
29  *
30  * 2. Redistributions in binary form must reproduce the above
31  * copyright notice, this list of conditions and the above
32  * disclaimer in the documentation and/or other materials provided
33  * with the distribution.
34  */
35 
36 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
37 FILE_SECBOOT ( PERMITTED );
38 
39 /** @file
40  *
41  * DRBG mechanism
42  *
43  * This mechanism is designed to comply with ANS X9.82 Part 3-2007
44  * Section 9. This standard is not freely available, but most of the
45  * text appears to be shared with NIST SP 800-90, which can be
46  * downloaded from
47  *
48  * http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
49  *
50  * Where possible, references are given to both documents. In the
51  * case of any disagreement, ANS X9.82 takes priority over NIST SP
52  * 800-90. (In particular, note that some algorithms that are
53  * Approved by NIST SP 800-90 are not Approved by ANS X9.82.)
54  */
55 
56 #include <stdint.h>
57 #include <string.h>
58 #include <errno.h>
59 #include <assert.h>
60 #include <ipxe/entropy.h>
61 #include <ipxe/drbg.h>
62 
63 /**
64  * Instantiate DRBG
65  *
66  * @v state Algorithm state to be initialised
67  * @v personal Personalisation string
68  * @v personal_len Length of personalisation string
69  * @ret rc Return status code
70  *
71  * This is the Instantiate_function defined in ANS X9.82 Part 3-2007
72  * Section 9.2 (NIST SP 800-90 Section 9.1).
73  *
74  * Only a single security strength is supported, and prediction
75  * resistance is always enabled. The nonce is accounted for by
76  * increasing the entropy input, as per ANS X9.82 Part 3-2007 Section
77  * 8.4.2 (NIST SP 800-90 Section 8.6.7).
78  */
79 int drbg_instantiate ( struct drbg_state *state, const void *personal,
80  size_t personal_len ) {
81  unsigned int entropy_bits = ( ( 3 * DRBG_SECURITY_STRENGTH + 1 ) / 2 );
82  size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;
83  size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;
84  uint8_t data[max_len];
85  int len;
86  int rc;
87 
88  DBGC ( state, "DRBG %p instantiate\n", state );
89 
90  /* Sanity checks */
91  assert ( state != NULL );
92 
93  /* 1. If requested_instantiation_security_strength >
94  * highest_supported_security_strength, then return an
95  * ERROR_FLAG
96  */
97  if ( DRBG_SECURITY_STRENGTH > DRBG_MAX_SECURITY_STRENGTH ) {
98  DBGC ( state, "DRBG %p cannot support security strength %d\n",
99  state, DRBG_SECURITY_STRENGTH );
100  return -ENOTSUP;
101  }
102 
103  /* 2. If prediction_resistance_flag is set, and prediction
104  * resistance is not supported, then return an ERROR_FLAG
105  *
106  * (Nothing to do since prediction resistance is always
107  * supported.)
108  */
109 
110  /* 3. If the length of the personalization_string >
111  * max_personalization_string_length, return an ERROR_FLAG
112  */
113  if ( personal_len > DRBG_MAX_PERSONAL_LEN_BYTES ) {
114  DBGC ( state, "DRBG %p personalisation string too long (%zd "
115  "bytes)\n", state, personal_len );
116  return -ERANGE;
117  }
118 
119  /* 4. Set security_strength to the nearest security strength
120  * greater than or equal to
121  * requested_instantiation_security_strength.
122  *
123  * (Nothing to do since we support only a single security
124  * strength.)
125  */
126 
127  /* 5. Using the security_strength, select appropriate DRBG
128  * mechanism parameters.
129  *
130  * (Nothing to do since we support only a single security
131  * strength.)
132  */
133 
134  /* 6. ( status, entropy_input ) = Get_entropy_input (
135  * security_strength, min_length, max_length,
136  * prediction_resistance_request )
137  * 7. If an ERROR is returned in step 6, return a
138  * CATASTROPHIC_ERROR_FLAG.
139  * 8. Obtain a nonce.
140  */
141  len = get_entropy_input ( entropy_bits, data, min_len,
142  sizeof ( data ) );
143  if ( len < 0 ) {
144  rc = len;
145  DBGC ( state, "DRBG %p could not get entropy input: %s\n",
146  state, strerror ( rc ) );
147  return rc;
148  }
149  assert ( len >= ( int ) min_len );
150  assert ( len <= ( int ) sizeof ( data ) );
151 
152  /* 9. initial_working_state = Instantiate_algorithm (
153  * entropy_input, nonce, personalization_string ).
154  */
155  drbg_instantiate_algorithm ( state, data, len, personal, personal_len );
156 
157  /* 10. Get a state_handle for a currently empty state. If an
158  * empty internal state cannot be found, return an
159  * ERROR_FLAG.
160  * 11. Set the internal state indicated by state_handle to
161  * the initial values for the internal state (i.e. set
162  * the working_state to the values returned as
163  * initial_working_state in step 9 and any other values
164  * required for the working_state, and set the
165  * administrative information to the appropriate values.
166  *
167  * (Almost nothing to do since the memory to hold the state
168  * was passed in by the caller and has already been updated
169  * in-situ.)
170  */
171  state->reseed_required = 0;
172  state->valid = 1;
173 
174  /* 12. Return SUCCESS and state_handle. */
175  return 0;
176 }
177 
178 /**
179  * Reseed DRBG
180  *
181  * @v state Algorithm state
182  * @v additional Additional input
183  * @v additional_len Length of additional input
184  * @ret rc Return status code
185  *
186  * This is the Reseed_function defined in ANS X9.82 Part 3-2007
187  * Section 9.3 (NIST SP 800-90 Section 9.2).
188  *
189  * Prediction resistance is always enabled.
190  */
191 int drbg_reseed ( struct drbg_state *state, const void *additional,
192  size_t additional_len ) {
193  unsigned int entropy_bits = DRBG_SECURITY_STRENGTH;
194  size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;
195  size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;
196  uint8_t data[max_len];
197  int len;
198  int rc;
199 
200  DBGC ( state, "DRBG %p reseed\n", state );
201 
202  /* Sanity checks */
203  assert ( state != NULL );
204 
205  /* 1. Using state_handle, obtain the current internal state.
206  * If state_handle indicates an invalid or empty internal
207  * state, return an ERROR_FLAG.
208  *
209  * (Almost nothing to do since the memory holding the internal
210  * state was passed in by the caller.)
211  */
212  if ( ! state->valid ) {
213  DBGC ( state, "DRBG %p not valid\n", state );
214  return -EINVAL;
215  }
216 
217  /* 2. If prediction_resistance_request is set, and
218  * prediction_resistance_flag is not set, then return an
219  * ERROR_FLAG.
220  *
221  * (Nothing to do since prediction resistance is always
222  * supported.)
223  */
224 
225  /* 3. If the length of the additional_input >
226  * max_additional_input_length, return an ERROR_FLAG.
227  */
228  if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {
229  DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",
230  state, additional_len );
231  return -ERANGE;
232  }
233 
234  /* 4. ( status, entropy_input ) = Get_entropy_input (
235  * security_strength, min_length, max_length,
236  * prediction_resistance_request ).
237  *
238  * 5. If an ERROR is returned in step 4, return a
239  * CATASTROPHIC_ERROR_FLAG.
240  */
241  len = get_entropy_input ( entropy_bits, data, min_len,
242  sizeof ( data ) );
243  if ( len < 0 ) {
244  rc = len;
245  DBGC ( state, "DRBG %p could not get entropy input: %s\n",
246  state, strerror ( rc ) );
247  return rc;
248  }
249 
250  /* 6. new_working_state = Reseed_algorithm ( working_state,
251  * entropy_input, additional_input ).
252  */
253  drbg_reseed_algorithm ( state, data, len, additional, additional_len );
254 
255  /* 7. Replace the working_state in the internal state
256  * indicated by state_handle with the values of
257  * new_working_state obtained in step 6.
258  *
259  * (Nothing to do since the state has already been updated in-situ.)
260  */
261 
262  /* 8. Return SUCCESS. */
263  return 0;
264 }
265 
266 /**
267  * Generate pseudorandom bits using DRBG
268  *
269  * @v state Algorithm state
270  * @v additional Additional input
271  * @v additional_len Length of additional input
272  * @v prediction_resist Prediction resistance is required
273  * @v data Output buffer
274  * @v len Length of output buffer
275  * @ret rc Return status code
276  *
277  * This is the Generate_function defined in ANS X9.82 Part 3-2007
278  * Section 9.4 (NIST SP 800-90 Section 9.3).
279  *
280  * Requests must be for an integral number of bytes. Only a single
281  * security strength is supported. Prediction resistance is supported
282  * if requested.
283  */
284 int drbg_generate ( struct drbg_state *state, const void *additional,
285  size_t additional_len, int prediction_resist,
286  void *data, size_t len ) {
287  int rc;
288 
289  DBGC ( state, "DRBG %p generate\n", state );
290 
291  /* Sanity checks */
292  assert ( state != NULL );
293  assert ( data != NULL );
294 
295  /* 1. Using state_handle, obtain the current internal state
296  * for the instantiation. If state_handle indicates an
297  * invalid or empty internal state, then return an ERROR_FLAG.
298  *
299  * (Almost nothing to do since the memory holding the internal
300  * state was passed in by the caller.)
301  */
302  if ( ! state->valid ) {
303  DBGC ( state, "DRBG %p not valid\n", state );
304  return -EINVAL;
305  }
306 
307  /* 2. If requested_number_of_bits >
308  * max_number_of_bits_per_request, then return an
309  * ERROR_FLAG.
310  */
311  if ( len > DRBG_MAX_GENERATED_LEN_BYTES ) {
312  DBGC ( state, "DRBG %p request too long (%zd bytes)\n",
313  state, len );
314  return -ERANGE;
315  }
316 
317  /* 3. If requested_security_strength > the security_strength
318  * indicated in the internal state, then return an
319  * ERROR_FLAG.
320  *
321  * (Nothing to do since only a single security strength is
322  * supported.)
323  */
324 
325  /* 4. If the length of the additional_input >
326  * max_additional_input_length, then return an ERROR_FLAG.
327  */
328  if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {
329  DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",
330  state, additional_len );
331  return -ERANGE;
332  }
333 
334  /* 5. If prediction_resistance_request is set, and
335  * prediction_resistance_flag is not set, then return an
336  * ERROR_FLAG.
337  *
338  * (Nothing to do since prediction resistance is always
339  * supported.)
340  */
341 
342  /* 6. Clear the reseed_required_flag. */
343  state->reseed_required = 0;
344 
345  step_7:
346  /* 7. If reseed_required_flag is set, or if
347  * prediction_resistance_request is set, then
348  */
349  if ( state->reseed_required || prediction_resist ) {
350 
351  /* 7.1 status = Reseed_function ( state_handle,
352  * prediction_resistance_request,
353  * additional_input )
354  * 7.2 If status indicates an ERROR, then return
355  * status.
356  */
357  if ( ( rc = drbg_reseed ( state, additional,
358  additional_len ) ) != 0 ) {
359  DBGC ( state, "DRBG %p could not reseed: %s\n",
360  state, strerror ( rc ) );
361  return rc;
362  }
363 
364  /* 7.3 Using state_handle, obtain the new internal
365  * state.
366  *
367  * (Nothing to do since the internal state has been
368  * updated in-situ.)
369  */
370 
371  /* 7.4 additional_input = the Null string. */
372  additional = NULL;
373  additional_len = 0;
374 
375  /* 7.5 Clear the reseed_required_flag. */
376  state->reseed_required = 0;
377  }
378 
379  /* 8. ( status, pseudorandom_bits, new_working_state ) =
380  * Generate_algorithm ( working_state,
381  * requested_number_of_bits, additional_input ).
382  */
383  rc = drbg_generate_algorithm ( state, additional, additional_len,
384  data, len );
385 
386  /* 9. If status indicates that a reseed is required before
387  * the requested bits can be generated, then
388  */
389  if ( rc != 0 ) {
390 
391  /* 9.1 Set the reseed_required_flag. */
392  state->reseed_required = 1;
393 
394  /* 9.2 If the prediction_resistance_flag is set, then
395  * set the prediction_resistance_request
396  * indication.
397  */
398  prediction_resist = 1;
399 
400  /* 9.3 Go to step 7. */
401  goto step_7;
402  }
403 
404  /* 10. Replace the old working_state in the internal state
405  * indicated by state_handle with the values of
406  * new_working_state.
407  *
408  * (Nothing to do since the working state has already been
409  * updated in-situ.)
410  */
411 
412  /* 11. Return SUCCESS and pseudorandom_bits. */
413  return 0;
414 }
415 
416 /**
417  * Uninstantiate DRBG
418  *
419  * @v state Algorithm state
420  *
421  * This is the Uninstantiate_function defined in ANS X9.82 Part 3-2007
422  * Section 9.5 (NIST SP 800-90 Section 9.4).
423  */
424 void drbg_uninstantiate ( struct drbg_state *state ) {
425 
426  DBGC ( state, "DRBG %p uninstantiate\n", state );
427 
428  /* Sanity checks */
429  assert ( state != NULL );
430 
431  /* 1. If state_handle indicates an invalid state, then return
432  * an ERROR_FLAG.
433  *
434  * (Nothing to do since the memory holding the internal state
435  * was passed in by the caller.)
436  */
437 
438  /* 2. Erase the contents of the internal state indicated by
439  * state_handle.
440  */
441  memset ( state, 0, sizeof ( *state ) );
442 
443  /* 3. Return SUCCESS. */
444 }
EINVAL
#define EINVAL
Invalid argument.
Definition: errno.h:429
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
DRBG_MAX_ENTROPY_LEN_BYTES
#define DRBG_MAX_ENTROPY_LEN_BYTES
Maximum entropy input length.
Definition: drbg.h:38
get_entropy_input
static int get_entropy_input(unsigned int min_entropy_bits, void *data, size_t min_len, size_t max_len)
Obtain entropy input.
Definition: entropy.h:232
drbg.h
DRBG mechanism.
state
uint8_t state
State.
Definition: eth_slow.h:48
errno.h
Error codes.
drbg_reseed
int drbg_reseed(struct drbg_state *state, const void *additional, size_t additional_len)
Reseed DRBG.
Definition: drbg.c:191
drbg_instantiate_algorithm
static void drbg_instantiate_algorithm(struct drbg_state *state, const void *entropy, size_t entropy_len, const void *personal, size_t personal_len)
Instantiate DRBG algorithm.
Definition: drbg.h:71
DBGC
#define DBGC(...)
Definition: compiler.h:505
drbg_state
A Deterministic Random Bit Generator.
Definition: drbg.h:50
ENOTSUP
#define ENOTSUP
Operation not supported.
Definition: errno.h:590
DRBG_MAX_ADDITIONAL_LEN_BYTES
#define DRBG_MAX_ADDITIONAL_LEN_BYTES
Maximum additional input length.
Definition: drbg.h:44
drbg_reseed_algorithm
static void drbg_reseed_algorithm(struct drbg_state *state, const void *entropy, size_t entropy_len, const void *additional, size_t additional_len)
Reseed DRBG algorithm.
Definition: drbg.h:93
assert.h
Assertions.
additional
uint16_t additional
Additional sense code and qualifier.
Definition: scsi.h:28
assert
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
drbg_generate_algorithm
static int drbg_generate_algorithm(struct drbg_state *state, const void *additional, size_t additional_len, void *data, size_t len)
Generate pseudorandom bits using DRBG algorithm.
Definition: drbg.h:118
len
ring len
Length.
Definition: dwmac.h:231
DRBG_MAX_SECURITY_STRENGTH
#define DRBG_MAX_SECURITY_STRENGTH
Maximum security strength.
Definition: drbg.h:24
ERANGE
#define ERANGE
Result too large.
Definition: errno.h:640
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:79
drbg_instantiate
int drbg_instantiate(struct drbg_state *state, const void *personal, size_t personal_len)
Instantiate DRBG.
Definition: drbg.c:79
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
FILE_SECBOOT
FILE_SECBOOT(PERMITTED)
DRBG_MAX_GENERATED_LEN_BYTES
#define DRBG_MAX_GENERATED_LEN_BYTES
Maximum length of generated pseudorandom data per request.
Definition: drbg.h:47
FILE_LICENCE
FILE_LICENCE(GPL2_OR_LATER_OR_UBDL)
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22
DRBG_SECURITY_STRENGTH
#define DRBG_SECURITY_STRENGTH
Security strength.
Definition: drbg.h:31
drbg_uninstantiate
void drbg_uninstantiate(struct drbg_state *state)
Uninstantiate DRBG.
Definition: drbg.c:424
DRBG_MIN_ENTROPY_LEN_BYTES
#define DRBG_MIN_ENTROPY_LEN_BYTES
Minimum entropy input length.
Definition: drbg.h:34
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:322
string.h
String functions.
entropy.h
Entropy source.
DRBG_MAX_PERSONAL_LEN_BYTES
#define DRBG_MAX_PERSONAL_LEN_BYTES
Maximum personalisation string length.
Definition: drbg.h:41
drbg_generate
int drbg_generate(struct drbg_state *state, const void *additional, size_t additional_len, int prediction_resist, void *data, size_t len)
Generate pseudorandom bits using DRBG.
Definition: drbg.c:284
memset
void * memset(void *dest, int character, size_t len) __nonnull
Generated by   doxygen 1.8.15