DRBG mechanism. More...

#include <stdint.h>
#include <ipxe/sha256.h>
#include <ipxe/hmac_drbg.h>

Data Structures
struct	drbg_state
	A Deterministic Random Bit Generator. More...

Macros
#define	HMAC_DRBG_ALGORITHM HMAC_DRBG_SHA256
	Choose HMAC_DRBG using SHA-256. More...

#define	DRBG_MAX_SECURITY_STRENGTH HMAC_DRBG_MAX_SECURITY_STRENGTH ( HMAC_DRBG_ALGORITHM )
	Maximum security strength. More...

#define	DRBG_SECURITY_STRENGTH 128
	Security strength. More...

#define	DRBG_MIN_ENTROPY_LEN_BYTES HMAC_DRBG_MIN_ENTROPY_LEN_BYTES ( DRBG_SECURITY_STRENGTH )
	Minimum entropy input length. More...

#define	DRBG_MAX_ENTROPY_LEN_BYTES HMAC_DRBG_MAX_ENTROPY_LEN_BYTES
	Maximum entropy input length. More...

#define	DRBG_MAX_PERSONAL_LEN_BYTES HMAC_DRBG_MAX_PERSONAL_LEN_BYTES
	Maximum personalisation string length. More...

#define	DRBG_MAX_ADDITIONAL_LEN_BYTES HMAC_DRBG_MAX_ADDITIONAL_LEN_BYTES
	Maximum additional input length. More...

#define	DRBG_MAX_GENERATED_LEN_BYTES HMAC_DRBG_MAX_GENERATED_LEN_BYTES
	Maximum length of generated pseudorandom data per request. More...

Functions
	FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)

	FILE_SECBOOT (PERMITTED)

static void	drbg_instantiate_algorithm (struct drbg_state state, const void entropy, size_t entropy_len, const void *personal, size_t personal_len)
	Instantiate DRBG algorithm. More...

static void	drbg_reseed_algorithm (struct drbg_state state, const void entropy, size_t entropy_len, const void *additional, size_t additional_len)
	Reseed DRBG algorithm. More...

static int	drbg_generate_algorithm (struct drbg_state state, const void additional, size_t additional_len, void *data, size_t len)
	Generate pseudorandom bits using DRBG algorithm. More...

int	drbg_instantiate (struct drbg_state state, const void personal, size_t personal_len)
	Instantiate DRBG. More...

int	drbg_reseed (struct drbg_state state, const void additional, size_t additional_len)
	Reseed DRBG. More...

int	drbg_generate (struct drbg_state state, const void additional, size_t additional_len, int prediction_resist, void *data, size_t len)
	Generate pseudorandom bits using DRBG. More...

void	drbg_uninstantiate (struct drbg_state *state)
	Uninstantiate DRBG. More...

Detailed Description

DRBG mechanism.

Definition in file drbg.h.

Macro Definition Documentation

◆ HMAC_DRBG_ALGORITHM

#define HMAC_DRBG_ALGORITHM HMAC_DRBG_SHA256

Choose HMAC_DRBG using SHA-256.

HMAC_DRBG using SHA-256 is an Approved algorithm in ANS X9.82.

Definition at line 21 of file drbg.h.

◆ DRBG_MAX_SECURITY_STRENGTH

#define DRBG_MAX_SECURITY_STRENGTH HMAC_DRBG_MAX_SECURITY_STRENGTH ( HMAC_DRBG_ALGORITHM )

Maximum security strength.

Definition at line 24 of file drbg.h.

◆ DRBG_SECURITY_STRENGTH

#define DRBG_SECURITY_STRENGTH 128

Security strength.

We choose to operate at a strength of 128 bits.

Definition at line 31 of file drbg.h.

◆ DRBG_MIN_ENTROPY_LEN_BYTES

#define DRBG_MIN_ENTROPY_LEN_BYTES HMAC_DRBG_MIN_ENTROPY_LEN_BYTES ( DRBG_SECURITY_STRENGTH )

Minimum entropy input length.

Definition at line 34 of file drbg.h.

◆ DRBG_MAX_ENTROPY_LEN_BYTES

#define DRBG_MAX_ENTROPY_LEN_BYTES HMAC_DRBG_MAX_ENTROPY_LEN_BYTES

Maximum entropy input length.

Definition at line 38 of file drbg.h.

◆ DRBG_MAX_PERSONAL_LEN_BYTES

#define DRBG_MAX_PERSONAL_LEN_BYTES HMAC_DRBG_MAX_PERSONAL_LEN_BYTES

Maximum personalisation string length.

Definition at line 41 of file drbg.h.

◆ DRBG_MAX_ADDITIONAL_LEN_BYTES

#define DRBG_MAX_ADDITIONAL_LEN_BYTES HMAC_DRBG_MAX_ADDITIONAL_LEN_BYTES

Maximum additional input length.

Definition at line 44 of file drbg.h.

◆ DRBG_MAX_GENERATED_LEN_BYTES

#define DRBG_MAX_GENERATED_LEN_BYTES HMAC_DRBG_MAX_GENERATED_LEN_BYTES

Maximum length of generated pseudorandom data per request.

Definition at line 47 of file drbg.h.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL )

◆ FILE_SECBOOT()

FILE_SECBOOT ( PERMITTED )

◆ drbg_instantiate_algorithm()

static void drbg_instantiate_algorithm	(	struct drbg_state *	state,
		const void *	entropy,
		size_t	entropy_len,
		const void *	personal,
		size_t	personal_len
	)

inlinestatic

Instantiate DRBG algorithm.

Parameters

state	Algorithm state
entropy	Entropy input
entropy_len	Length of entropy input
personal	Personalisation string
personal_len	Length of personalisation string

This is the Instantiate_algorithm function defined in ANS X9.82 Part 3-2007 Section 9.2 (NIST SP 800-90 Section 9.1).

Definition at line 71 of file drbg.h.

                                                                       {
         hmac_drbg_instantiate ( HMAC_DRBG_HASH ( HMAC_DRBG_ALGORITHM ),
                                 &state->internal, entropy, entropy_len,
                                 personal, personal_len );
 }

References HMAC_DRBG_ALGORITHM, HMAC_DRBG_HASH, hmac_drbg_instantiate(), and state.

Referenced by drbg_instantiate().

◆ drbg_reseed_algorithm()

static void drbg_reseed_algorithm	(	struct drbg_state *	state,
		const void *	entropy,
		size_t	entropy_len,
		const void *	additional,
		size_t	additional_len
	)

inlinestatic

Reseed DRBG algorithm.

Parameters

state	Algorithm state
entropy	Entropy input
entropy_len	Length of entropy input
additional	Additional input
additional_len	Length of additional input

This is the Reseed_algorithm function defined in ANS X9.82 Part 3-2007 Section 9.3 (NIST SP 800-90 Section 9.2).

Definition at line 93 of file drbg.h.

                                                                    {
         hmac_drbg_reseed ( HMAC_DRBG_HASH ( HMAC_DRBG_ALGORITHM ),
                            &state->internal, entropy, entropy_len,
                            additional, additional_len );
 }

References additional, HMAC_DRBG_ALGORITHM, HMAC_DRBG_HASH, hmac_drbg_reseed(), and state.

Referenced by drbg_reseed().

◆ drbg_generate_algorithm()

static int drbg_generate_algorithm	(	struct drbg_state *	state,
		const void *	additional,
		size_t	additional_len,
		void *	data,
		size_t	len
	)

inlinestatic

Generate pseudorandom bits using DRBG algorithm.

Parameters

state	Algorithm state
additional	Additional input
additional_len	Length of additional input
data	Output buffer
len	Length of output buffer

Return values

rc	Return status code

This is the Generate_algorithm function defined in ANS X9.82 Part 3-2007 Section 9.4 (NIST SP 800-90 Section 9.3).

Note that the only permitted error is "reseed required".

Definition at line 118 of file drbg.h.

                                                                      {
         return hmac_drbg_generate ( HMAC_DRBG_HASH ( HMAC_DRBG_ALGORITHM ),
                                     &state->internal, additional,
                                     additional_len, data, len );
 }

References additional, data, HMAC_DRBG_ALGORITHM, hmac_drbg_generate(), HMAC_DRBG_HASH, len, and state.

Referenced by drbg_generate().

◆ drbg_instantiate()

int drbg_instantiate	(	struct drbg_state *	state,
		const void *	personal,
		size_t	personal_len
	)

Instantiate DRBG.

Parameters

state	Algorithm state to be initialised
personal	Personalisation string
personal_len	Length of personalisation string

Return values

rc	Return status code

This is the Instantiate_function defined in ANS X9.82 Part 3-2007 Section 9.2 (NIST SP 800-90 Section 9.1).

Only a single security strength is supported, and prediction resistance is always enabled. The nonce is accounted for by increasing the entropy input, as per ANS X9.82 Part 3-2007 Section 8.4.2 (NIST SP 800-90 Section 8.6.7).

Definition at line 79 of file drbg.c.

                                              {
         unsigned int entropy_bits = ( ( 3 * DRBG_SECURITY_STRENGTH + 1 ) / 2 );
         size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;
         size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;
         uint8_t data[max_len];
         int len;
         int rc;
 
         DBGC ( state, "DRBG %p instantiate\n", state );
 
         /* Sanity checks */
         assert ( state != NULL );
 
         /* 1.  If requested_instantiation_security_strength >
          *     highest_supported_security_strength, then return an
          *     ERROR_FLAG
          */
         if ( DRBG_SECURITY_STRENGTH > DRBG_MAX_SECURITY_STRENGTH ) {
                 DBGC ( state, "DRBG %p cannot support security strength %d\n",
                        state, DRBG_SECURITY_STRENGTH );
                 return -ENOTSUP;
         }
 
         /* 2.  If prediction_resistance_flag is set, and prediction
          *     resistance is not supported, then return an ERROR_FLAG
          *
          * (Nothing to do since prediction resistance is always
          * supported.)
          */
 
         /* 3.  If the length of the personalization_string >
          *     max_personalization_string_length, return an ERROR_FLAG
          */
         if ( personal_len > DRBG_MAX_PERSONAL_LEN_BYTES ) {
                 DBGC ( state, "DRBG %p personalisation string too long (%zd "
                        "bytes)\n", state, personal_len );
                 return -ERANGE;
         }
 
         /* 4.  Set security_strength to the nearest security strength
          *     greater than or equal to
          *     requested_instantiation_security_strength.
          *
          * (Nothing to do since we support only a single security
          * strength.)
          */
 
         /* 5.  Using the security_strength, select appropriate DRBG
          *     mechanism parameters.
          *
          * (Nothing to do since we support only a single security
          * strength.)
          */
 
         /* 6.  ( status, entropy_input ) = Get_entropy_input (
          *     security_strength, min_length, max_length,
          *     prediction_resistance_request )
          * 7.  If an ERROR is returned in step 6, return a
          *     CATASTROPHIC_ERROR_FLAG.
          * 8.  Obtain a nonce.
          */
         len = get_entropy_input ( entropy_bits, data, min_len,
                                   sizeof ( data ) );
         if ( len < 0 ) {
                 rc = len;
                 DBGC ( state, "DRBG %p could not get entropy input: %s\n",
                        state, strerror ( rc ) );
                 return rc;
         }
         assert ( len >= ( int ) min_len );
         assert ( len <= ( int ) sizeof ( data ) );
 
         /* 9.  initial_working_state = Instantiate_algorithm (
          *     entropy_input, nonce, personalization_string ).
          */
         drbg_instantiate_algorithm ( state, data, len, personal, personal_len );
 
         /* 10.  Get a state_handle for a currently empty state.  If an
          *      empty internal state cannot be found, return an
          *      ERROR_FLAG.
          * 11.  Set the internal state indicated by state_handle to
          *      the initial values for the internal state (i.e. set
          *      the working_state to the values returned as
          *      initial_working_state in step 9 and any other values
          *      required for the working_state, and set the
          *      administrative information to the appropriate values.
          *
          * (Almost nothing to do since the memory to hold the state
          * was passed in by the caller and has already been updated
          * in-situ.)
          */
         state->reseed_required = 0;
         state->valid = 1;
 
         /* 12.  Return SUCCESS and state_handle. */
         return 0;
 }

References assert(), data, DBGC, drbg_instantiate_algorithm(), DRBG_MAX_ENTROPY_LEN_BYTES, DRBG_MAX_PERSONAL_LEN_BYTES, DRBG_MAX_SECURITY_STRENGTH, DRBG_MIN_ENTROPY_LEN_BYTES, DRBG_SECURITY_STRENGTH, ENOTSUP, ERANGE, get_entropy_input(), len, NULL, rc, state, and strerror().

Referenced by rbg_startup().

◆ drbg_reseed()

int drbg_reseed	(	struct drbg_state *	state,
		const void *	additional,
		size_t	additional_len
	)

Reseed DRBG.

Parameters

state	Algorithm state
additional	Additional input
additional_len	Length of additional input

Return values

rc	Return status code

This is the Reseed_function defined in ANS X9.82 Part 3-2007 Section 9.3 (NIST SP 800-90 Section 9.2).

Prediction resistance is always enabled.

Definition at line 191 of file drbg.c.

                                           {
         unsigned int entropy_bits = DRBG_SECURITY_STRENGTH;
         size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;
         size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;
         uint8_t data[max_len];
         int len;
         int rc;
 
         DBGC ( state, "DRBG %p reseed\n", state );
 
         /* Sanity checks */
         assert ( state != NULL );
 
         /* 1.  Using state_handle, obtain the current internal state.
          *     If state_handle indicates an invalid or empty internal
          *     state, return an ERROR_FLAG.
          *
          * (Almost nothing to do since the memory holding the internal
          * state was passed in by the caller.)
          */
         if ( ! state->valid ) {
                 DBGC ( state, "DRBG %p not valid\n", state );
                 return -EINVAL;
         }
 
         /* 2.  If prediction_resistance_request is set, and
          *     prediction_resistance_flag is not set, then return an
          *     ERROR_FLAG.
          *
          * (Nothing to do since prediction resistance is always
          * supported.)
          */
 
         /* 3.  If the length of the additional_input >
          *     max_additional_input_length, return an ERROR_FLAG.
          */
         if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {
                 DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",
                        state, additional_len );
                 return -ERANGE;
         }
 
         /* 4.  ( status, entropy_input ) = Get_entropy_input (
          *     security_strength, min_length, max_length,
          *     prediction_resistance_request ).
          *
          * 5.  If an ERROR is returned in step 4, return a
          *     CATASTROPHIC_ERROR_FLAG.
          */
         len = get_entropy_input ( entropy_bits, data, min_len,
                                   sizeof ( data ) );
         if ( len < 0 ) {
                 rc = len;
                 DBGC ( state, "DRBG %p could not get entropy input: %s\n",
                        state, strerror ( rc ) );
                 return rc;
         }
 
         /* 6.  new_working_state = Reseed_algorithm ( working_state,
          *     entropy_input, additional_input ).
          */
         drbg_reseed_algorithm ( state, data, len, additional, additional_len );
 
         /* 7.  Replace the working_state in the internal state
          *     indicated by state_handle with the values of
          *     new_working_state obtained in step 6.
          *
          * (Nothing to do since the state has already been updated in-situ.)
          */
 
         /* 8.  Return SUCCESS. */
         return 0;
 }

References additional, assert(), data, DBGC, DRBG_MAX_ADDITIONAL_LEN_BYTES, DRBG_MAX_ENTROPY_LEN_BYTES, DRBG_MIN_ENTROPY_LEN_BYTES, drbg_reseed_algorithm(), DRBG_SECURITY_STRENGTH, EINVAL, ERANGE, get_entropy_input(), len, NULL, rc, state, and strerror().

Referenced by drbg_generate().

◆ drbg_generate()

int drbg_generate	(	struct drbg_state *	state,
		const void *	additional,
		size_t	additional_len,
		int	prediction_resist,
		void *	data,
		size_t	len
	)

Generate pseudorandom bits using DRBG.

Parameters

state	Algorithm state
additional	Additional input
additional_len	Length of additional input
prediction_resist	Prediction resistance is required
data	Output buffer
len	Length of output buffer

Return values

rc	Return status code

This is the Generate_function defined in ANS X9.82 Part 3-2007 Section 9.4 (NIST SP 800-90 Section 9.3).

Requests must be for an integral number of bytes. Only a single security strength is supported. Prediction resistance is supported if requested.

Definition at line 284 of file drbg.c.

                                              {
         int rc;
 
         DBGC ( state, "DRBG %p generate\n", state );
 
         /* Sanity checks */
         assert ( state != NULL );
         assert ( data != NULL );
 
         /* 1.  Using state_handle, obtain the current internal state
          *     for the instantiation.  If state_handle indicates an
          *     invalid or empty internal state, then return an ERROR_FLAG.
          *
          * (Almost nothing to do since the memory holding the internal
          * state was passed in by the caller.)
          */
         if ( ! state->valid ) {
                 DBGC ( state, "DRBG %p not valid\n", state );
                 return -EINVAL;
         }
 
         /* 2.  If requested_number_of_bits >
          *     max_number_of_bits_per_request, then return an
          *     ERROR_FLAG.
          */
         if ( len > DRBG_MAX_GENERATED_LEN_BYTES ) {
                 DBGC ( state, "DRBG %p request too long (%zd bytes)\n",
                        state, len );
                 return -ERANGE;
         }
 
         /* 3.  If requested_security_strength > the security_strength
          *     indicated in the internal state, then return an
          *     ERROR_FLAG.
          *
          * (Nothing to do since only a single security strength is
          * supported.)
          */
 
         /* 4.  If the length of the additional_input >
          *     max_additional_input_length, then return an ERROR_FLAG.
          */
         if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {
                 DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",
                        state, additional_len );
                 return -ERANGE;
         }
 
         /* 5.  If prediction_resistance_request is set, and
          *     prediction_resistance_flag is not set, then return an
          *     ERROR_FLAG.
          *
          * (Nothing to do since prediction resistance is always
          * supported.)
          */
 
         /* 6.  Clear the reseed_required_flag. */
         state->reseed_required = 0;
 
  step_7:
         /* 7.  If reseed_required_flag is set, or if
          *     prediction_resistance_request is set, then
          */
         if ( state->reseed_required || prediction_resist ) {
 
                 /* 7.1  status = Reseed_function ( state_handle,
                  *      prediction_resistance_request,
                  *      additional_input )
                  * 7.2  If status indicates an ERROR, then return
                  *      status.
                  */
                 if ( ( rc = drbg_reseed ( state, additional,
                                           additional_len ) ) != 0 ) {
                         DBGC ( state, "DRBG %p could not reseed: %s\n",
                                state, strerror ( rc ) );
                         return rc;
                 }
 
                 /* 7.3  Using state_handle, obtain the new internal
                  *      state.
                  *
                  * (Nothing to do since the internal state has been
                  * updated in-situ.)
                  */
 
                 /* 7.4  additional_input = the Null string. */
                 additional = NULL;
                 additional_len = 0;
 
                 /* 7.5  Clear the reseed_required_flag. */
                 state->reseed_required = 0;
         }
 
         /* 8.  ( status, pseudorandom_bits, new_working_state ) =
          *     Generate_algorithm ( working_state,
          *     requested_number_of_bits, additional_input ).
          */
         rc = drbg_generate_algorithm ( state, additional, additional_len,
                                        data, len );
 
         /* 9.  If status indicates that a reseed is required before
          *     the requested bits can be generated, then
          */
         if ( rc != 0 ) {
 
                 /* 9.1  Set the reseed_required_flag. */
                 state->reseed_required = 1;
 
                 /* 9.2  If the prediction_resistance_flag is set, then
                  *      set the prediction_resistance_request
                  *      indication.
                  */
                 prediction_resist = 1;
 
                 /* 9.3  Go to step 7. */
                 goto step_7;
         }
 
         /* 10.  Replace the old working_state in the internal state
          *      indicated by state_handle with the values of
          *      new_working_state.
          *
          * (Nothing to do since the working state has already been
          * updated in-situ.)
          */
 
         /* 11.  Return SUCCESS and pseudorandom_bits. */
         return 0;
 }

References additional, assert(), data, DBGC, drbg_generate_algorithm(), DRBG_MAX_ADDITIONAL_LEN_BYTES, DRBG_MAX_GENERATED_LEN_BYTES, drbg_reseed(), EINVAL, ERANGE, len, NULL, rc, state, and strerror().

Referenced by rbg_generate().

◆ drbg_uninstantiate()

void drbg_uninstantiate ( struct drbg_state * state )

Uninstantiate DRBG.

Parameters

state Algorithm state

This is the Uninstantiate_function defined in ANS X9.82 Part 3-2007 Section 9.5 (NIST SP 800-90 Section 9.4).

Definition at line 424 of file drbg.c.

                                                      {
 
         DBGC ( state, "DRBG %p uninstantiate\n", state );
 
         /* Sanity checks */
         assert ( state != NULL );
 
         /* 1.  If state_handle indicates an invalid state, then return
          *     an ERROR_FLAG.
          *
          * (Nothing to do since the memory holding the internal state
          * was passed in by the caller.)
          */
 
         /* 2.  Erase the contents of the internal state indicated by
          *     state_handle.
          */
         memset ( state, 0, sizeof ( *state ) );
 
         /* 3.  Return SUCCESS. */
 }

References assert(), DBGC, memset(), NULL, and state.

Referenced by rbg_shutdown().

Data Structures

Macros

Functions

Detailed Description

Macro Definition Documentation

◆ HMAC_DRBG_ALGORITHM

◆ DRBG_MAX_SECURITY_STRENGTH

◆ DRBG_SECURITY_STRENGTH

◆ DRBG_MIN_ENTROPY_LEN_BYTES

◆ DRBG_MAX_ENTROPY_LEN_BYTES

◆ DRBG_MAX_PERSONAL_LEN_BYTES

◆ DRBG_MAX_ADDITIONAL_LEN_BYTES

◆ DRBG_MAX_GENERATED_LEN_BYTES

Function Documentation

◆ FILE_LICENCE()

◆ FILE_SECBOOT()

◆ drbg_instantiate_algorithm()

◆ drbg_reseed_algorithm()

◆ drbg_generate_algorithm()

◆ drbg_instantiate()

◆ drbg_reseed()

◆ drbg_generate()

◆ drbg_uninstantiate()