#ifndef _IPXE_HMAC_DRBG_H #define _IPXE_HMAC_DRBG_H /** @file * * HMAC_DRBG algorithm * */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #include #include /** Declare an HMAC_DRBG algorithm * * @v hash Underlying hash algorithm * @v max_security_strength Maxmimum security strength * @v out_len_bits Output block length, in bits * @ret hmac_drbg HMAC_DRBG algorithm */ #define HMAC_DRBG( hash, max_security_strength, out_len_bits ) \ ( hash, max_security_strength, out_len_bits ) /** HMAC_DRBG using SHA-1 * * The maximum security strength of HMAC_DRBG using SHA-1 is 128 bits * according to the list of maximum security strengths documented in * NIST SP 800-57 Part 1 Section 5.6.1 Table 3. * * The output block length of HMAC_DRBG using SHA-1 is 160 bits * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP * 800-90 Section 10.1 Table 2). */ #define HMAC_DRBG_SHA1 HMAC_DRBG ( &sha1_algorithm, 128, 160 ) /** HMAC_DRBG using SHA-224 * * The maximum security strength of HMAC_DRBG using SHA-224 is 192 * bits according to the list of maximum security strengths documented * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3. * * The output block length of HMAC_DRBG using SHA-224 is 224 bits * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP * 800-90 Section 10.1 Table 2). */ #define HMAC_DRBG_SHA224 HMAC_DRBG ( &sha224_algorithm, 192, 224 ) /** HMAC_DRBG using SHA-256 * * The maximum security strength of HMAC_DRBG using SHA-256 is 256 * bits according to the list of maximum security strengths documented * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3. * * The output block length of HMAC_DRBG using SHA-256 is 256 bits * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP * 800-90 Section 10.1 Table 2). */ #define HMAC_DRBG_SHA256 HMAC_DRBG ( &sha256_algorithm, 256, 256 ) /** HMAC_DRBG using SHA-384 * * The maximum security strength of HMAC_DRBG using SHA-384 is 256 * bits according to the list of maximum security strengths documented * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3. * * The output block length of HMAC_DRBG using SHA-384 is 384 bits * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP * 800-90 Section 10.1 Table 2). */ #define HMAC_DRBG_SHA384 HMAC_DRBG ( &sha384_algorithm, 256, 384 ) /** HMAC_DRBG using SHA-512 * * The maximum security strength of HMAC_DRBG using SHA-512 is 256 * bits according to the list of maximum security strengths documented * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3. * * The output block length of HMAC_DRBG using SHA-512 is 512 bits * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP * 800-90 Section 10.1 Table 2). */ #define HMAC_DRBG_SHA512 HMAC_DRBG ( &sha512_algorithm, 256, 512 ) /** Underlying hash algorithm * * @v hmac_drbg HMAC_DRBG algorithm * @ret hash Underlying hash algorithm */ #define HMAC_DRBG_HASH( hmac_drbg ) \ HMAC_DRBG_EXTRACT_HASH hmac_drbg #define HMAC_DRBG_EXTRACT_HASH( hash, max_security_strength, out_len_bits ) \ hash /** Maximum security strength * * @v hmac_drbg HMAC_DRBG algorithm * @ret max_security_strength Maxmimum security strength */ #define HMAC_DRBG_MAX_SECURITY_STRENGTH( hmac_drbg ) \ HMAC_DRBG_EXTRACT_MAX_SECURITY_STRENGTH hmac_drbg #define HMAC_DRBG_EXTRACT_MAX_SECURITY_STRENGTH( hash, max_security_strength, \ out_len_bits ) \ max_security_strength /** Output block length, in bits * * @v hmac_drbg HMAC_DRBG algorithm * @ret out_len_bits Output block length, in bits */ #define HMAC_DRBG_OUTLEN_BITS( hmac_drbg ) \ HMAC_DRBG_EXTRACT_OUTLEN_BITS hmac_drbg #define HMAC_DRBG_EXTRACT_OUTLEN_BITS( hash, max_security_strength, \ out_len_bits ) \ out_len_bits /** Output block length, in bytes * * @v hmac_drbg HMAC_DRBG algorithm * @ret out_len_bytes Output block length, in bytes */ #define HMAC_DRBG_OUTLEN_BYTES( hmac_drbg ) \ ( HMAC_DRBG_OUTLEN_BITS ( hmac_drbg ) / 8 ) /** Maximum output block length, in bytes * * The maximum output block length for HMAC_DRBG is 512 bits for * SHA-512 according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 * (NIST SP 800-90 Section 10.1 Table 2). */ #define HMAC_DRBG_MAX_OUTLEN_BYTES HMAC_DRBG_OUTLEN_BYTES ( HMAC_DRBG_SHA512 ) /** Required minimum entropy for instantiate and reseed * * @v security_strength Security strength * @ret min_entropy Required minimum entropy * * The minimum required entropy for HMAC_DRBG is equal to the security * strength according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 * (NIST SP 800-90 Section 10.1 Table 2). */ #define HMAC_DRBG_MIN_ENTROPY( security_strength ) (security_strength) /** Minimum entropy input length * * @v security_strength Security strength * @ret min_entropy_len_bytes Required minimum entropy length (in bytes) * * The minimum entropy input length for HMAC_DRBG is equal to the * security strength according to ANS X9.82 Part 3-2007 Section 10.2.1 * Table 2 (NIST SP 800-90 Section 10.1 Table 2). */ #define HMAC_DRBG_MIN_ENTROPY_LEN_BYTES( security_strength ) \ ( (security_strength) / 8 ) /** Maximum entropy input length * * The maximum entropy input length for HMAC_DRBG is 2^35 bits * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP * 800-90 Section 10.1 Table 2). * * We choose to allow up to 32 bytes. */ #define HMAC_DRBG_MAX_ENTROPY_LEN_BYTES 32 /** Maximum personalisation string length * * The maximum permitted personalisation string length for HMAC_DRBG * is 2^35 bits according to ANS X9.82 Part 3-2007 Section 10.2.1 * Table 1 (NIST SP 800-90 Section 10.1 Table 2). * * We choose to allow up to 2^32-1 bytes (i.e. 2^35-8 bits). */ #define HMAC_DRBG_MAX_PERSONAL_LEN_BYTES 0xffffffffUL /** Maximum additional input length * * The maximum permitted additional input length for HMAC_DRBG is 2^35 * bits according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 1 * (NIST SP 800-90 Section 10.1 Table 2). * * We choose to allow up to 2^32-1 bytes (i.e. 2^35-8 bits). */ #define HMAC_DRBG_MAX_ADDITIONAL_LEN_BYTES 0xffffffffUL /** Maximum length of generated pseudorandom data per request * * The maximum number of bits per request for HMAC_DRBG is 2^19 bits * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 1 (NIST SP * 800-90 Section 10.1 Table 2). * * We choose to allow up to 2^16-1 bytes (i.e. 2^19-8 bits). */ #define HMAC_DRBG_MAX_GENERATED_LEN_BYTES 0x0000ffffUL /** Reseed interval * * The maximum permitted reseed interval for HMAC_DRBG is 2^48 * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP * 800-90 Section 10.1 Table 2). However, the sample implementation * given in ANS X9.82 Part 3-2007 Annex E.2.1 (NIST SP 800-90 Appendix * F.2) shows a reseed interval of 10000. * * We choose a very conservative reseed interval. */ #define HMAC_DRBG_RESEED_INTERVAL 1024 /** * HMAC_DRBG internal state * * This structure is defined by ANS X9.82 Part 3-2007 Section * 10.2.2.2.1 (NIST SP 800-90 Section 10.1.2.1). * * The "administrative information" portions (security_strength and * prediction_resistance) are design-time constants and so are not * present as fields in this structure. */ struct hmac_drbg_state { /** Current value * * "The value V of outlen bits, which is updated each time * another outlen bits of output are produced" */ uint8_t value[HMAC_DRBG_MAX_OUTLEN_BYTES]; /** Current key * * "The outlen-bit Key, which is updated at least once each * time that the DRBG mechanism generates pseudorandom bits." */ uint8_t key[HMAC_DRBG_MAX_OUTLEN_BYTES]; /** Reseed counter * * "A counter (reseed_counter) that indicates the number of * requests for pseudorandom bits since instantiation or * reseeding" */ unsigned int reseed_counter; }; extern void hmac_drbg_instantiate ( struct digest_algorithm *hash, struct hmac_drbg_state *state, const void *entropy, size_t entropy_len, const void *personal, size_t personal_len ); extern void hmac_drbg_reseed ( struct digest_algorithm *hash, struct hmac_drbg_state *state, const void *entropy, size_t entropy_len, const void *additional, size_t additional_len ); extern int hmac_drbg_generate ( struct digest_algorithm *hash, struct hmac_drbg_state *state, const void *additional, size_t additional_len, void *data, size_t len ); #endif /* _IPXE_HMAC_DRBG_H */