| #ifndef _IPXE_HMAC_DRBG_H |
| #define _IPXE_HMAC_DRBG_H |
| |
| /** @file |
| * |
| * HMAC_DRBG algorithm |
| * |
| */ |
| |
| FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); |
| |
| #include <stdint.h> |
| #include <ipxe/crypto.h> |
| |
| /** Declare an HMAC_DRBG algorithm |
| * |
| * @v hash Underlying hash algorithm |
| * @v max_security_strength Maxmimum security strength |
| * @v out_len_bits Output block length, in bits |
| * @ret hmac_drbg HMAC_DRBG algorithm |
| */ |
| #define HMAC_DRBG( hash, max_security_strength, out_len_bits ) \ |
| ( hash, max_security_strength, out_len_bits ) |
| |
| /** HMAC_DRBG using SHA-1 |
| * |
| * The maximum security strength of HMAC_DRBG using SHA-1 is 128 bits |
| * according to the list of maximum security strengths documented in |
| * NIST SP 800-57 Part 1 Section 5.6.1 Table 3. |
| * |
| * The output block length of HMAC_DRBG using SHA-1 is 160 bits |
| * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP |
| * 800-90 Section 10.1 Table 2). |
| */ |
| #define HMAC_DRBG_SHA1 HMAC_DRBG ( &sha1_algorithm, 128, 160 ) |
| |
| /** HMAC_DRBG using SHA-224 |
| * |
| * The maximum security strength of HMAC_DRBG using SHA-224 is 192 |
| * bits according to the list of maximum security strengths documented |
| * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3. |
| * |
| * The output block length of HMAC_DRBG using SHA-224 is 224 bits |
| * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP |
| * 800-90 Section 10.1 Table 2). |
| */ |
| #define HMAC_DRBG_SHA224 HMAC_DRBG ( &sha224_algorithm, 192, 224 ) |
| |
| /** HMAC_DRBG using SHA-256 |
| * |
| * The maximum security strength of HMAC_DRBG using SHA-256 is 256 |
| * bits according to the list of maximum security strengths documented |
| * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3. |
| * |
| * The output block length of HMAC_DRBG using SHA-256 is 256 bits |
| * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP |
| * 800-90 Section 10.1 Table 2). |
| */ |
| #define HMAC_DRBG_SHA256 HMAC_DRBG ( &sha256_algorithm, 256, 256 ) |
| |
| /** HMAC_DRBG using SHA-384 |
| * |
| * The maximum security strength of HMAC_DRBG using SHA-384 is 256 |
| * bits according to the list of maximum security strengths documented |
| * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3. |
| * |
| * The output block length of HMAC_DRBG using SHA-384 is 384 bits |
| * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP |
| * 800-90 Section 10.1 Table 2). |
| */ |
| #define HMAC_DRBG_SHA384 HMAC_DRBG ( &sha384_algorithm, 256, 384 ) |
| |
| /** HMAC_DRBG using SHA-512 |
| * |
| * The maximum security strength of HMAC_DRBG using SHA-512 is 256 |
| * bits according to the list of maximum security strengths documented |
| * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3. |
| * |
| * The output block length of HMAC_DRBG using SHA-512 is 512 bits |
| * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP |
| * 800-90 Section 10.1 Table 2). |
| */ |
| #define HMAC_DRBG_SHA512 HMAC_DRBG ( &sha512_algorithm, 256, 512 ) |
| |
| /** Underlying hash algorithm |
| * |
| * @v hmac_drbg HMAC_DRBG algorithm |
| * @ret hash Underlying hash algorithm |
| */ |
| #define HMAC_DRBG_HASH( hmac_drbg ) \ |
| HMAC_DRBG_EXTRACT_HASH hmac_drbg |
| #define HMAC_DRBG_EXTRACT_HASH( hash, max_security_strength, out_len_bits ) \ |
| hash |
| |
| /** Maximum security strength |
| * |
| * @v hmac_drbg HMAC_DRBG algorithm |
| * @ret max_security_strength Maxmimum security strength |
| */ |
| #define HMAC_DRBG_MAX_SECURITY_STRENGTH( hmac_drbg ) \ |
| HMAC_DRBG_EXTRACT_MAX_SECURITY_STRENGTH hmac_drbg |
| #define HMAC_DRBG_EXTRACT_MAX_SECURITY_STRENGTH( hash, max_security_strength, \ |
| out_len_bits ) \ |
| max_security_strength |
| |
| /** Output block length, in bits |
| * |
| * @v hmac_drbg HMAC_DRBG algorithm |
| * @ret out_len_bits Output block length, in bits |
| */ |
| #define HMAC_DRBG_OUTLEN_BITS( hmac_drbg ) \ |
| HMAC_DRBG_EXTRACT_OUTLEN_BITS hmac_drbg |
| #define HMAC_DRBG_EXTRACT_OUTLEN_BITS( hash, max_security_strength, \ |
| out_len_bits ) \ |
| out_len_bits |
| |
| /** Output block length, in bytes |
| * |
| * @v hmac_drbg HMAC_DRBG algorithm |
| * @ret out_len_bytes Output block length, in bytes |
| */ |
| #define HMAC_DRBG_OUTLEN_BYTES( hmac_drbg ) \ |
| ( HMAC_DRBG_OUTLEN_BITS ( hmac_drbg ) / 8 ) |
| |
| /** Maximum output block length, in bytes |
| * |
| * The maximum output block length for HMAC_DRBG is 512 bits for |
| * SHA-512 according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 |
| * (NIST SP 800-90 Section 10.1 Table 2). |
| */ |
| #define HMAC_DRBG_MAX_OUTLEN_BYTES HMAC_DRBG_OUTLEN_BYTES ( HMAC_DRBG_SHA512 ) |
| |
| /** Required minimum entropy for instantiate and reseed |
| * |
| * @v security_strength Security strength |
| * @ret min_entropy Required minimum entropy |
| * |
| * The minimum required entropy for HMAC_DRBG is equal to the security |
| * strength according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 |
| * (NIST SP 800-90 Section 10.1 Table 2). |
| */ |
| #define HMAC_DRBG_MIN_ENTROPY( security_strength ) (security_strength) |
| |
| /** Minimum entropy input length |
| * |
| * @v security_strength Security strength |
| * @ret min_entropy_len_bytes Required minimum entropy length (in bytes) |
| * |
| * The minimum entropy input length for HMAC_DRBG is equal to the |
| * security strength according to ANS X9.82 Part 3-2007 Section 10.2.1 |
| * Table 2 (NIST SP 800-90 Section 10.1 Table 2). |
| */ |
| #define HMAC_DRBG_MIN_ENTROPY_LEN_BYTES( security_strength ) \ |
| ( (security_strength) / 8 ) |
| |
| /** Maximum entropy input length |
| * |
| * The maximum entropy input length for HMAC_DRBG is 2^35 bits |
| * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP |
| * 800-90 Section 10.1 Table 2). |
| * |
| * We choose to allow up to 32 bytes. |
| */ |
| #define HMAC_DRBG_MAX_ENTROPY_LEN_BYTES 32 |
| |
| /** Maximum personalisation string length |
| * |
| * The maximum permitted personalisation string length for HMAC_DRBG |
| * is 2^35 bits according to ANS X9.82 Part 3-2007 Section 10.2.1 |
| * Table 1 (NIST SP 800-90 Section 10.1 Table 2). |
| * |
| * We choose to allow up to 2^32-1 bytes (i.e. 2^35-8 bits). |
| */ |
| #define HMAC_DRBG_MAX_PERSONAL_LEN_BYTES 0xffffffffUL |
| |
| /** Maximum additional input length |
| * |
| * The maximum permitted additional input length for HMAC_DRBG is 2^35 |
| * bits according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 1 |
| * (NIST SP 800-90 Section 10.1 Table 2). |
| * |
| * We choose to allow up to 2^32-1 bytes (i.e. 2^35-8 bits). |
| */ |
| #define HMAC_DRBG_MAX_ADDITIONAL_LEN_BYTES 0xffffffffUL |
| |
| /** Maximum length of generated pseudorandom data per request |
| * |
| * The maximum number of bits per request for HMAC_DRBG is 2^19 bits |
| * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 1 (NIST SP |
| * 800-90 Section 10.1 Table 2). |
| * |
| * We choose to allow up to 2^16-1 bytes (i.e. 2^19-8 bits). |
| */ |
| #define HMAC_DRBG_MAX_GENERATED_LEN_BYTES 0x0000ffffUL |
| |
| /** Reseed interval |
| * |
| * The maximum permitted reseed interval for HMAC_DRBG is 2^48 |
| * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP |
| * 800-90 Section 10.1 Table 2). However, the sample implementation |
| * given in ANS X9.82 Part 3-2007 Annex E.2.1 (NIST SP 800-90 Appendix |
| * F.2) shows a reseed interval of 10000. |
| * |
| * We choose a very conservative reseed interval. |
| */ |
| #define HMAC_DRBG_RESEED_INTERVAL 1024 |
| |
| /** |
| * HMAC_DRBG internal state |
| * |
| * This structure is defined by ANS X9.82 Part 3-2007 Section |
| * 10.2.2.2.1 (NIST SP 800-90 Section 10.1.2.1). |
| * |
| * The "administrative information" portions (security_strength and |
| * prediction_resistance) are design-time constants and so are not |
| * present as fields in this structure. |
| */ |
| struct hmac_drbg_state { |
| /** Current value |
| * |
| * "The value V of outlen bits, which is updated each time |
| * another outlen bits of output are produced" |
| */ |
| uint8_t value[HMAC_DRBG_MAX_OUTLEN_BYTES]; |
| /** Current key |
| * |
| * "The outlen-bit Key, which is updated at least once each |
| * time that the DRBG mechanism generates pseudorandom bits." |
| */ |
| uint8_t key[HMAC_DRBG_MAX_OUTLEN_BYTES]; |
| /** Reseed counter |
| * |
| * "A counter (reseed_counter) that indicates the number of |
| * requests for pseudorandom bits since instantiation or |
| * reseeding" |
| */ |
| unsigned int reseed_counter; |
| }; |
| |
| extern void hmac_drbg_instantiate ( struct digest_algorithm *hash, |
| struct hmac_drbg_state *state, |
| const void *entropy, size_t entropy_len, |
| const void *personal, size_t personal_len ); |
| extern void hmac_drbg_reseed ( struct digest_algorithm *hash, |
| struct hmac_drbg_state *state, |
| const void *entropy, size_t entropy_len, |
| const void *additional, size_t additional_len ); |
| extern int hmac_drbg_generate ( struct digest_algorithm *hash, |
| struct hmac_drbg_state *state, |
| const void *additional, size_t additional_len, |
| void *data, size_t len ); |
| |
| #endif /* _IPXE_HMAC_DRBG_H */ |
