2 * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20 FILE_LICENCE ( GPL2_OR_LATER );
26 * This mechanism is designed to comply with ANS X9.82 Part 3-2007
27 * Section 9. This standard is not freely available, but most of the
28 * text appears to be shared with NIST SP 800-90, which can be
31 * http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
33 * Where possible, references are given to both documents. In the
34 * case of any disagreement, ANS X9.82 takes priority over NIST SP
35 * 800-90. (In particular, note that some algorithms that are
36 * Approved by NIST SP 800-90 are not Approved by ANS X9.82.)
43 #include <ipxe/entropy.h>
44 #include <ipxe/drbg.h>
49 * @v state Algorithm state to be initialised
50 * @v personal Personalisation string
51 * @v personal_len Length of personalisation string
52 * @ret rc Return status code
54 * This is the Instantiate_function defined in ANS X9.82 Part 3-2007
55 * Section 9.2 (NIST SP 800-90 Section 9.1).
57 * Only a single security strength is supported, and prediction
58 * resistance is always enabled. The nonce is accounted for by
59 * increasing the entropy input, as per ANS X9.82 Part 3-2007 Section
60 * 8.4.2 (NIST SP 800-90 Section 8.6.7).
62 int drbg_instantiate ( struct drbg_state *state, const void *personal,
63 size_t personal_len ) {
64 unsigned int entropy_bits = ( ( 3 * DRBG_SECURITY_STRENGTH + 1 ) / 2 );
65 size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;
66 size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;
67 uint8_t data[max_len];
71 DBGC ( state, "DRBG %p instantiate\n", state );
74 assert ( state != NULL );
76 /* 1. If requested_instantiation_security_strength >
77 * highest_supported_security_strength, then return an
80 if ( DRBG_SECURITY_STRENGTH > DRBG_MAX_SECURITY_STRENGTH ) {
81 DBGC ( state, "DRBG %p cannot support security strength %d\n",
82 state, DRBG_SECURITY_STRENGTH );
86 /* 2. If prediction_resistance_flag is set, and prediction
87 * resistance is not supported, then return an ERROR_FLAG
89 * (Nothing to do since prediction resistance is always
93 /* 3. If the length of the personalization_string >
94 * max_personalization_string_length, return an ERROR_FLAG
96 if ( personal_len > DRBG_MAX_PERSONAL_LEN_BYTES ) {
97 DBGC ( state, "DRBG %p personalisation string too long (%zd "
98 "bytes)\n", state, personal_len );
102 /* 4. Set security_strength to the nearest security strength
103 * greater than or equal to
104 * requested_instantiation_security_strength.
106 * (Nothing to do since we support only a single security
110 /* 5. Using the security_strength, select appropriate DRBG
111 * mechanism parameters.
113 * (Nothing to do since we support only a single security
117 /* 6. ( status, entropy_input ) = Get_entropy_input (
118 * security_strength, min_length, max_length,
119 * prediction_resistance_request )
120 * 7. If an ERROR is returned in step 6, return a
121 * CATASTROPHIC_ERROR_FLAG.
124 len = get_entropy_input ( entropy_bits, data, min_len,
128 DBGC ( state, "DRBG %p could not get entropy input: %s\n",
129 state, strerror ( rc ) );
132 assert ( len >= ( int ) min_len );
133 assert ( len <= ( int ) sizeof ( data ) );
135 /* 9. initial_working_state = Instantiate_algorithm (
136 * entropy_input, nonce, personalization_string ).
138 drbg_instantiate_algorithm ( state, data, len, personal, personal_len );
140 /* 10. Get a state_handle for a currently empty state. If an
141 * empty internal state cannot be found, return an
143 * 11. Set the internal state indicated by state_handle to
144 * the initial values for the internal state (i.e. set
145 * the working_state to the values returned as
146 * initial_working_state in step 9 and any other values
147 * required for the working_state, and set the
148 * administrative information to the appropriate values.
150 * (Almost nothing to do since the memory to hold the state
151 * was passed in by the caller and has already been updated
154 state->reseed_required = 0;
157 /* 12. Return SUCCESS and state_handle. */
164 * @v state Algorithm state
165 * @v additional Additional input
166 * @v additional_len Length of additional input
167 * @ret rc Return status code
169 * This is the Reseed_function defined in ANS X9.82 Part 3-2007
170 * Section 9.3 (NIST SP 800-90 Section 9.2).
172 * Prediction resistance is always enabled.
174 int drbg_reseed ( struct drbg_state *state, const void *additional,
175 size_t additional_len ) {
176 unsigned int entropy_bits = DRBG_SECURITY_STRENGTH;
177 size_t min_len = DRBG_MIN_ENTROPY_LEN_BYTES;
178 size_t max_len = DRBG_MAX_ENTROPY_LEN_BYTES;
179 uint8_t data[max_len];
183 DBGC ( state, "DRBG %p reseed\n", state );
186 assert ( state != NULL );
188 /* 1. Using state_handle, obtain the current internal state.
189 * If state_handle indicates an invalid or empty internal
190 * state, return an ERROR_FLAG.
192 * (Almost nothing to do since the memory holding the internal
193 * state was passed in by the caller.)
195 if ( ! state->valid ) {
196 DBGC ( state, "DRBG %p not valid\n", state );
200 /* 2. If prediction_resistance_request is set, and
201 * prediction_resistance_flag is not set, then return an
204 * (Nothing to do since prediction resistance is always
208 /* 3. If the length of the additional_input >
209 * max_additional_input_length, return an ERROR_FLAG.
211 if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {
212 DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",
213 state, additional_len );
217 /* 4. ( status, entropy_input ) = Get_entropy_input (
218 * security_strength, min_length, max_length,
219 * prediction_resistance_request ).
221 * 5. If an ERROR is returned in step 4, return a
222 * CATASTROPHIC_ERROR_FLAG.
224 len = get_entropy_input ( entropy_bits, data, min_len,
228 DBGC ( state, "DRBG %p could not get entropy input: %s\n",
229 state, strerror ( rc ) );
233 /* 6. new_working_state = Reseed_algorithm ( working_state,
234 * entropy_input, additional_input ).
236 drbg_reseed_algorithm ( state, data, len, additional, additional_len );
238 /* 7. Replace the working_state in the internal state
239 * indicated by state_handle with the values of
240 * new_working_state obtained in step 6.
242 * (Nothing to do since the state has already been updated in-situ.)
245 /* 8. Return SUCCESS. */
250 * Generate pseudorandom bits using DRBG
252 * @v state Algorithm state
253 * @v additional Additional input
254 * @v additional_len Length of additional input
255 * @v prediction_resist Prediction resistance is required
256 * @v data Output buffer
257 * @v len Length of output buffer
258 * @ret rc Return status code
260 * This is the Generate_function defined in ANS X9.82 Part 3-2007
261 * Section 9.4 (NIST SP 800-90 Section 9.3).
263 * Requests must be for an integral number of bytes. Only a single
264 * security strength is supported. Prediction resistance is supported
267 int drbg_generate ( struct drbg_state *state, const void *additional,
268 size_t additional_len, int prediction_resist,
269 void *data, size_t len ) {
272 DBGC ( state, "DRBG %p generate\n", state );
275 assert ( state != NULL );
276 assert ( data != NULL );
278 /* 1. Using state_handle, obtain the current internal state
279 * for the instantiation. If state_handle indicates an
280 * invalid or empty internal state, then return an ERROR_FLAG.
282 * (Almost nothing to do since the memory holding the internal
283 * state was passed in by the caller.)
285 if ( ! state->valid ) {
286 DBGC ( state, "DRBG %p not valid\n", state );
290 /* 2. If requested_number_of_bits >
291 * max_number_of_bits_per_request, then return an
294 if ( len > DRBG_MAX_GENERATED_LEN_BYTES ) {
295 DBGC ( state, "DRBG %p request too long (%zd bytes)\n",
300 /* 3. If requested_security_strength > the security_strength
301 * indicated in the internal state, then return an
304 * (Nothing to do since only a single security strength is
308 /* 4. If the length of the additional_input >
309 * max_additional_input_length, then return an ERROR_FLAG.
311 if ( additional_len > DRBG_MAX_ADDITIONAL_LEN_BYTES ) {
312 DBGC ( state, "DRBG %p additional input too long (%zd bytes)\n",
313 state, additional_len );
317 /* 5. If prediction_resistance_request is set, and
318 * prediction_resistance_flag is not set, then return an
321 * (Nothing to do since prediction resistance is always
325 /* 6. Clear the reseed_required_flag. */
326 state->reseed_required = 0;
329 /* 7. If reseed_required_flag is set, or if
330 * prediction_resistance_request is set, then
332 if ( state->reseed_required || prediction_resist ) {
334 /* 7.1 status = Reseed_function ( state_handle,
335 * prediction_resistance_request,
337 * 7.2 If status indicates an ERROR, then return
340 if ( ( rc = drbg_reseed ( state, additional,
341 additional_len ) ) != 0 ) {
342 DBGC ( state, "DRBG %p could not reseed: %s\n",
343 state, strerror ( rc ) );
347 /* 7.3 Using state_handle, obtain the new internal
350 * (Nothing to do since the internal state has been
354 /* 7.4 additional_input = the Null string. */
358 /* 7.5 Clear the reseed_required_flag. */
359 state->reseed_required = 0;
362 /* 8. ( status, pseudorandom_bits, new_working_state ) =
363 * Generate_algorithm ( working_state,
364 * requested_number_of_bits, additional_input ).
366 rc = drbg_generate_algorithm ( state, additional, additional_len,
369 /* 9. If status indicates that a reseed is required before
370 * the requested bits can be generated, then
374 /* 9.1 Set the reseed_required_flag. */
375 state->reseed_required = 1;
377 /* 9.2 If the prediction_resistance_flag is set, then
378 * set the prediction_resistance_request
381 prediction_resist = 1;
383 /* 9.3 Go to step 7. */
387 /* 10. Replace the old working_state in the internal state
388 * indicated by state_handle with the values of
391 * (Nothing to do since the working state has already been
395 /* 11. Return SUCCESS and pseudorandom_bits. */
402 * @v state Algorithm state
404 * This is the Uninstantiate_function defined in ANS X9.82 Part 3-2007
405 * Section 9.5 (NIST SP 800-90 Section 9.4).
407 void drbg_uninstantiate ( struct drbg_state *state ) {
409 DBGC ( state, "DRBG %p uninstantiate\n", state );
412 assert ( state != NULL );
414 /* 1. If state_handle indicates an invalid state, then return
417 * (Nothing to do since the memory holding the internal state
418 * was passed in by the caller.)
421 /* 2. Erase the contents of the internal state indicated by
424 memset ( state, 0, sizeof ( *state ) );
426 /* 3. Return SUCCESS. */