[rng] Allow HMAC_DRBG to use multiple underlying hash algorithms

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2025-12-23 13:30:57 +03:00 · 2012-03-06 12:58:56 +00:00
parent 742e43be05
commit b9d9c3f1d5
4 changed files with 441 additions and 266 deletions
--- a/src/include/ipxe/drbg.h
+++ b/src/include/ipxe/drbg.h
@@ -10,16 +10,29 @@
 FILE_LICENCE ( GPL2_OR_LATER );

 #include <stdint.h>
+#include <ipxe/sha1.h>
 #include <ipxe/hmac_drbg.h>

-/** Maximum security strength */
-#define DRBG_MAX_SECURITY_STRENGTH HMAC_DRBG_MAX_SECURITY_STRENGTH
+/** Choose HMAC_DRBG using SHA-1
+ *
+ * HMAC_DRBG using SHA-1 is an Approved algorithm in ANS X9.82.
+ */
+#define HMAC_DRBG_ALGORITHM HMAC_DRBG_SHA1

-/** Security strength */
-#define DRBG_SECURITY_STRENGTH HMAC_DRBG_SECURITY_STRENGTH
+/** Maximum security strength */
+#define DRBG_MAX_SECURITY_STRENGTH \
+	HMAC_DRBG_MAX_SECURITY_STRENGTH ( HMAC_DRBG_ALGORITHM )
+
+/** Security strength
+ *
+ * We choose to operate at the maximum security strength supported by
+ * the algorithm.
+ */
+#define DRBG_SECURITY_STRENGTH DRBG_MAX_SECURITY_STRENGTH

 /** Minimum entropy input length */
-#define DRBG_MIN_ENTROPY_LEN_BYTES HMAC_DRBG_MIN_ENTROPY_LEN_BYTES
+#define DRBG_MIN_ENTROPY_LEN_BYTES \
+	HMAC_DRBG_MIN_ENTROPY_LEN_BYTES ( DRBG_SECURITY_STRENGTH )

 /** Maximum entropy input length */
 #define DRBG_MAX_ENTROPY_LEN_BYTES HMAC_DRBG_MAX_ENTROPY_LEN_BYTES
@@ -60,7 +73,8 @@ static inline void drbg_instantiate_algorithm ( struct drbg_state *state,
 						size_t entropy_len,
 						const void *personal,
 						size_t personal_len ) {
-	hmac_drbg_instantiate ( &state->internal, entropy, entropy_len,
+	hmac_drbg_instantiate ( HMAC_DRBG_HASH ( HMAC_DRBG_ALGORITHM ),
+				&state->internal, entropy, entropy_len,
 				personal, personal_len );
 }

@@ -81,7 +95,8 @@ static inline void drbg_reseed_algorithm ( struct drbg_state *state,
 					   size_t entropy_len,
 					   const void *additional,
 					   size_t additional_len ) {
-	hmac_drbg_reseed ( &state->internal, entropy, entropy_len,
+	hmac_drbg_reseed ( HMAC_DRBG_HASH ( HMAC_DRBG_ALGORITHM ),
+			   &state->internal, entropy, entropy_len,
 			   additional, additional_len );
 }

@@ -104,7 +119,8 @@ static inline int drbg_generate_algorithm ( struct drbg_state *state,
 					    const void *additional,
 					    size_t additional_len,
 					    void *data, size_t len ) {
-	return hmac_drbg_generate ( &state->internal, additional,
+	return hmac_drbg_generate ( HMAC_DRBG_HASH ( HMAC_DRBG_ALGORITHM ),
+				    &state->internal, additional,
 				    additional_len, data, len );
 }

--- a/src/include/ipxe/hmac_drbg.h
+++ b/src/include/ipxe/hmac_drbg.h
@@ -10,48 +10,148 @@
 FILE_LICENCE ( GPL2_OR_LATER );

 #include <stdint.h>
-#include <ipxe/sha1.h>
+#include <ipxe/crypto.h>

-/** Use SHA-1 as the underlying hash algorithm
+/** Declare an HMAC_DRBG algorithm
 *
- * HMAC_DRBG using SHA-1 is an Approved algorithm in ANS X9.82.
+ * @v hash			Underlying hash algorithm
+ * @v max_security_strength	Maxmimum security strength
+ * @v out_len_bits		Output block length, in bits
+ * @ret hmac_drbg		HMAC_DRBG algorithm
 */
-#define hmac_drbg_algorithm sha1_algorithm
+#define HMAC_DRBG( hash, max_security_strength, out_len_bits ) \
+	( hash, max_security_strength, out_len_bits )
+
+/** HMAC_DRBG using SHA-1
+ *
+ * The maximum security strength of HMAC_DRBG using SHA-1 is 128 bits
+ * according to the list of maximum security strengths documented in
+ * NIST SP 800-57 Part 1 Section 5.6.1 Table 3.
+ *
+ * The output block length of HMAC_DRBG using SHA-1 is 160 bits
+ * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP
+ * 800-90 Section 10.1 Table 2).
+ */
+#define HMAC_DRBG_SHA1 HMAC_DRBG ( &sha1_algorithm, 128, 160 )
+
+/** HMAC_DRBG using SHA-224
+ *
+ * The maximum security strength of HMAC_DRBG using SHA-224 is 192
+ * bits according to the list of maximum security strengths documented
+ * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3.
+ *
+ * The output block length of HMAC_DRBG using SHA-224 is 224 bits
+ * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP
+ * 800-90 Section 10.1 Table 2).
+ */
+#define HMAC_DRBG_SHA224 HMAC_DRBG ( &sha224_algorithm, 192, 224 )
+
+/** HMAC_DRBG using SHA-256
+ *
+ * The maximum security strength of HMAC_DRBG using SHA-256 is 256
+ * bits according to the list of maximum security strengths documented
+ * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3.
+ *
+ * The output block length of HMAC_DRBG using SHA-256 is 256 bits
+ * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP
+ * 800-90 Section 10.1 Table 2).
+ */
+#define HMAC_DRBG_SHA256 HMAC_DRBG ( &sha256_algorithm, 256, 256 )
+
+/** HMAC_DRBG using SHA-384
+ *
+ * The maximum security strength of HMAC_DRBG using SHA-384 is 256
+ * bits according to the list of maximum security strengths documented
+ * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3.
+ *
+ * The output block length of HMAC_DRBG using SHA-384 is 384 bits
+ * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP
+ * 800-90 Section 10.1 Table 2).
+ */
+#define HMAC_DRBG_SHA384 HMAC_DRBG ( &sha384_algorithm, 256, 384 )
+
+/** HMAC_DRBG using SHA-512
+ *
+ * The maximum security strength of HMAC_DRBG using SHA-512 is 256
+ * bits according to the list of maximum security strengths documented
+ * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3.
+ *
+ * The output block length of HMAC_DRBG using SHA-512 is 512 bits
+ * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP
+ * 800-90 Section 10.1 Table 2).
+ */
+#define HMAC_DRBG_SHA512 HMAC_DRBG ( &sha512_algorithm, 256, 512 )
+
+/** Underlying hash algorithm
+ *
+ * @v hmac_drbg			HMAC_DRBG algorithm
+ * @ret hash			Underlying hash algorithm
+ */
+#define HMAC_DRBG_HASH( hmac_drbg ) \
+	HMAC_DRBG_EXTRACT_HASH hmac_drbg
+#define HMAC_DRBG_EXTRACT_HASH( hash, max_security_strength, out_len_bits ) \
+	hash

 /** Maximum security strength
 *
- * The maximum security strength of HMAC_DRBG using SHA-1 is 128 bits
- * (according to the list of maximum security strengths documented in
- * NIST SP 800-57 Part 1 Section 5.6.1 Table 3).
+ * @v hmac_drbg			HMAC_DRBG algorithm
+ * @ret max_security_strength	Maxmimum security strength
 */
-#define HMAC_DRBG_MAX_SECURITY_STRENGTH 128
+#define HMAC_DRBG_MAX_SECURITY_STRENGTH( hmac_drbg ) \
+	HMAC_DRBG_EXTRACT_MAX_SECURITY_STRENGTH hmac_drbg
+#define HMAC_DRBG_EXTRACT_MAX_SECURITY_STRENGTH( hash, max_security_strength, \
+						 out_len_bits ) \
+	max_security_strength

-/** Security strength
+/** Output block length, in bits
 *
- * For the sake of implementation simplicity, only a single security
- * strength is supported, which is the maximum security strength
- * supported by the algorithm.
+ * @v hmac_drbg			HMAC_DRBG algorithm
+ * @ret out_len_bits		Output block length, in bits
 */
-#define HMAC_DRBG_SECURITY_STRENGTH HMAC_DRBG_MAX_SECURITY_STRENGTH
+#define HMAC_DRBG_OUTLEN_BITS( hmac_drbg ) \
+	HMAC_DRBG_EXTRACT_OUTLEN_BITS hmac_drbg
+#define HMAC_DRBG_EXTRACT_OUTLEN_BITS( hash, max_security_strength, \
+				       out_len_bits ) \
+	out_len_bits

-/** Underlying hash algorithm output length (in bytes) */
-#define HMAC_DRBG_OUTLEN_BYTES SHA1_DIGEST_SIZE
+/** Output block length, in bytes
+ *
+ * @v hmac_drbg			HMAC_DRBG algorithm
+ * @ret out_len_bytes		Output block length, in bytes
+ */
+#define HMAC_DRBG_OUTLEN_BYTES( hmac_drbg ) \
+	( HMAC_DRBG_OUTLEN_BITS ( hmac_drbg ) / 8 )
+
+/** Maximum output block length, in bytes
+ *
+ * The maximum output block length for HMAC_DRBG is 512 bits for
+ * SHA-512 according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2
+ * (NIST SP 800-90 Section 10.1 Table 2).
+ */
+#define HMAC_DRBG_MAX_OUTLEN_BYTES HMAC_DRBG_OUTLEN_BYTES ( HMAC_DRBG_SHA512 )

 /** Required minimum entropy for instantiate and reseed
+ *
+ * @v security_strength		Security strength
+ * @ret min_entropy		Required minimum entropy
 *
 * The minimum required entropy for HMAC_DRBG is equal to the security
 * strength according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2
 * (NIST SP 800-90 Section 10.1 Table 2).
 */
-#define HMAC_DRBG_MIN_ENTROPY_BYTES ( HMAC_DRBG_SECURITY_STRENGTH / 8 )
+#define HMAC_DRBG_MIN_ENTROPY( security_strength ) (security_strength)

 /** Minimum entropy input length
+ *
+ * @v security_strength		Security strength
+ * @ret min_entropy_len_bytes	Required minimum entropy length (in bytes)
 *
 * The minimum entropy input length for HMAC_DRBG is equal to the
 * security strength according to ANS X9.82 Part 3-2007 Section 10.2.1
 * Table 2 (NIST SP 800-90 Section 10.1 Table 2).
 */
-#define HMAC_DRBG_MIN_ENTROPY_LEN_BYTES ( HMAC_DRBG_SECURITY_STRENGTH / 8 )
+#define HMAC_DRBG_MIN_ENTROPY_LEN_BYTES( security_strength ) \
+	( (security_strength) / 8 )

 /** Maximum entropy input length
 *
@@ -95,19 +195,16 @@ FILE_LICENCE ( GPL2_OR_LATER );

 /** Reseed interval
 *
- * The maximum permitted reseed interval for HMAC_DRBG using SHA-1 is
- * 2^48 according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2
- * (NIST SP 800-90 Section 10.1 Table 2).  However, the sample
- * implementation given in ANS X9.82 Part 3-2007 Annex E.2.1 (NIST SP
- * 800-90 Appendix F.2) shows a reseed interval of 10000.
+ * The maximum permitted reseed interval for HMAC_DRBG is 2^48
+ * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP
+ * 800-90 Section 10.1 Table 2).  However, the sample implementation
+ * given in ANS X9.82 Part 3-2007 Annex E.2.1 (NIST SP 800-90 Appendix
+ * F.2) shows a reseed interval of 10000.
 *
 * We choose a very conservative reseed interval.
 */
 #define HMAC_DRBG_RESEED_INTERVAL 1024

-/** Underlying hash algorithm context size (in bytes) */
-#define HMAC_DRBG_CTX_SIZE SHA1_CTX_SIZE
-
 /**
 * HMAC_DRBG internal state
 *
@@ -124,13 +221,13 @@ struct hmac_drbg_state {
 	 * "The value V of outlen bits, which is updated each time
 	 * another outlen bits of output are produced"
 	 */
-	uint8_t value[HMAC_DRBG_OUTLEN_BYTES];
+	uint8_t value[HMAC_DRBG_MAX_OUTLEN_BYTES];
 	/** Current key
 	 *
 	 * "The outlen-bit Key, which is updated at least once each
 	 * time that the DRBG mechanism generates pseudorandom bits."
 	 */
-	uint8_t key[HMAC_DRBG_OUTLEN_BYTES];
+	uint8_t key[HMAC_DRBG_MAX_OUTLEN_BYTES];
 	/** Reseed counter
 	 *
 	 * "A counter (reseed_counter) that indicates the number of
@@ -140,13 +237,16 @@ struct hmac_drbg_state {
 	unsigned int reseed_counter;
 };

-extern void hmac_drbg_instantiate ( struct hmac_drbg_state *state,
+extern void hmac_drbg_instantiate ( struct digest_algorithm *hash,
+				    struct hmac_drbg_state *state,
 				    const void *entropy, size_t entropy_len,
 				    const void *personal, size_t personal_len );
-extern void hmac_drbg_reseed ( struct hmac_drbg_state *state,
+extern void hmac_drbg_reseed ( struct digest_algorithm *hash,
+			       struct hmac_drbg_state *state,
 			       const void *entropy, size_t entropy_len,
 			       const void *additional, size_t additional_len );
-extern int hmac_drbg_generate ( struct hmac_drbg_state *state,
+extern int hmac_drbg_generate ( struct digest_algorithm *hash,
+				struct hmac_drbg_state *state,
 				const void *additional, size_t additional_len,
 				void *data, size_t len );