[rng] Allow HMAC_DRBG to use multiple underlying hash algorithms

Signed-off-by: Michael Brown <mcb30@ipxe.org>

2 files changed, 153 insertions, 37 deletions

diff --git a/src/include/ipxe/drbg.h b/src/include/ipxe/drbg.h
index 3cf4584ac..139f03c54 100644
--- a/src/include/ipxe/drbg.h
+++ b/src/include/ipxe/drbg.h
@@ -10,16 +10,29 @@
 FILE_LICENCE ( GPL2_OR_LATER );
 
 #include <stdint.h>
+#include <ipxe/sha1.h>
 #include <ipxe/hmac_drbg.h>
 
+/** Choose HMAC_DRBG using SHA-1
+ *
+ * HMAC_DRBG using SHA-1 is an Approved algorithm in ANS X9.82.
+ */
+#define HMAC_DRBG_ALGORITHM HMAC_DRBG_SHA1
+
 /** Maximum security strength */
-#define DRBG_MAX_SECURITY_STRENGTH HMAC_DRBG_MAX_SECURITY_STRENGTH
+#define DRBG_MAX_SECURITY_STRENGTH \
+	HMAC_DRBG_MAX_SECURITY_STRENGTH ( HMAC_DRBG_ALGORITHM )
 
-/** Security strength */
-#define DRBG_SECURITY_STRENGTH HMAC_DRBG_SECURITY_STRENGTH
+/** Security strength
+ *
+ * We choose to operate at the maximum security strength supported by
+ * the algorithm.
+ */
+#define DRBG_SECURITY_STRENGTH DRBG_MAX_SECURITY_STRENGTH
 
 /** Minimum entropy input length */
-#define DRBG_MIN_ENTROPY_LEN_BYTES HMAC_DRBG_MIN_ENTROPY_LEN_BYTES
+#define DRBG_MIN_ENTROPY_LEN_BYTES \
+	HMAC_DRBG_MIN_ENTROPY_LEN_BYTES ( DRBG_SECURITY_STRENGTH )
 
 /** Maximum entropy input length */
 #define DRBG_MAX_ENTROPY_LEN_BYTES HMAC_DRBG_MAX_ENTROPY_LEN_BYTES
@@ -60,7 +73,8 @@ static inline void drbg_instantiate_algorithm ( struct drbg_state *state,
 						size_t entropy_len,
 						const void *personal,
 						size_t personal_len ) {
-	hmac_drbg_instantiate ( &state->internal, entropy, entropy_len,
+	hmac_drbg_instantiate ( HMAC_DRBG_HASH ( HMAC_DRBG_ALGORITHM ),
+				&state->internal, entropy, entropy_len,
 				personal, personal_len );
 }
 
@@ -81,7 +95,8 @@ static inline void drbg_reseed_algorithm ( struct drbg_state *state,
 					   size_t entropy_len,
 					   const void *additional,
 					   size_t additional_len ) {
-	hmac_drbg_reseed ( &state->internal, entropy, entropy_len,
+	hmac_drbg_reseed ( HMAC_DRBG_HASH ( HMAC_DRBG_ALGORITHM ),
+			   &state->internal, entropy, entropy_len,
 			   additional, additional_len );
 }
 
@@ -104,7 +119,8 @@ static inline int drbg_generate_algorithm ( struct drbg_state *state,
 					    const void *additional,
 					    size_t additional_len,
 					    void *data, size_t len ) {
-	return hmac_drbg_generate ( &state->internal, additional,
+	return hmac_drbg_generate ( HMAC_DRBG_HASH ( HMAC_DRBG_ALGORITHM ),
+				    &state->internal, additional,
 				    additional_len, data, len );
 }
 
diff --git a/src/include/ipxe/hmac_drbg.h b/src/include/ipxe/hmac_drbg.h
index b3dfe3682..8dfd2924f 100644
--- a/src/include/ipxe/hmac_drbg.h
+++ b/src/include/ipxe/hmac_drbg.h
@@ -10,48 +10,148 @@
 FILE_LICENCE ( GPL2_OR_LATER );
 
 #include <stdint.h>
-#include <ipxe/sha1.h>
+#include <ipxe/crypto.h>
 
-/** Use SHA-1 as the underlying hash algorithm
+/** Declare an HMAC_DRBG algorithm
  *
- * HMAC_DRBG using SHA-1 is an Approved algorithm in ANS X9.82.
+ * @v hash			Underlying hash algorithm
+ * @v max_security_strength	Maxmimum security strength
+ * @v out_len_bits		Output block length, in bits
+ * @ret hmac_drbg		HMAC_DRBG algorithm
  */
-#define hmac_drbg_algorithm sha1_algorithm
+#define HMAC_DRBG( hash, max_security_strength, out_len_bits ) \
+	( hash, max_security_strength, out_len_bits )
 
-/** Maximum security strength
+/** HMAC_DRBG using SHA-1
  *
  * The maximum security strength of HMAC_DRBG using SHA-1 is 128 bits
- * (according to the list of maximum security strengths documented in
- * NIST SP 800-57 Part 1 Section 5.6.1 Table 3).
+ * according to the list of maximum security strengths documented in
+ * NIST SP 800-57 Part 1 Section 5.6.1 Table 3.
+ *
+ * The output block length of HMAC_DRBG using SHA-1 is 160 bits
+ * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP
+ * 800-90 Section 10.1 Table 2).
  */
-#define HMAC_DRBG_MAX_SECURITY_STRENGTH 128
+#define HMAC_DRBG_SHA1 HMAC_DRBG ( &sha1_algorithm, 128, 160 )
 
-/** Security strength
+/** HMAC_DRBG using SHA-224
+ *
+ * The maximum security strength of HMAC_DRBG using SHA-224 is 192
+ * bits according to the list of maximum security strengths documented
+ * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3.
  *
- * For the sake of implementation simplicity, only a single security
- * strength is supported, which is the maximum security strength
- * supported by the algorithm.
+ * The output block length of HMAC_DRBG using SHA-224 is 224 bits
+ * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP
+ * 800-90 Section 10.1 Table 2).
  */
-#define HMAC_DRBG_SECURITY_STRENGTH HMAC_DRBG_MAX_SECURITY_STRENGTH
+#define HMAC_DRBG_SHA224 HMAC_DRBG ( &sha224_algorithm, 192, 224 )
 
-/** Underlying hash algorithm output length (in bytes) */
-#define HMAC_DRBG_OUTLEN_BYTES SHA1_DIGEST_SIZE
+/** HMAC_DRBG using SHA-256
+ *
+ * The maximum security strength of HMAC_DRBG using SHA-256 is 256
+ * bits according to the list of maximum security strengths documented
+ * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3.
+ *
+ * The output block length of HMAC_DRBG using SHA-256 is 256 bits
+ * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP
+ * 800-90 Section 10.1 Table 2).
+ */
+#define HMAC_DRBG_SHA256 HMAC_DRBG ( &sha256_algorithm, 256, 256 )
+
+/** HMAC_DRBG using SHA-384
+ *
+ * The maximum security strength of HMAC_DRBG using SHA-384 is 256
+ * bits according to the list of maximum security strengths documented
+ * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3.
+ *
+ * The output block length of HMAC_DRBG using SHA-384 is 384 bits
+ * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP
+ * 800-90 Section 10.1 Table 2).
+ */
+#define HMAC_DRBG_SHA384 HMAC_DRBG ( &sha384_algorithm, 256, 384 )
+
+/** HMAC_DRBG using SHA-512
+ *
+ * The maximum security strength of HMAC_DRBG using SHA-512 is 256
+ * bits according to the list of maximum security strengths documented
+ * in NIST SP 800-57 Part 1 Section 5.6.1 Table 3.
+ *
+ * The output block length of HMAC_DRBG using SHA-512 is 512 bits
+ * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP
+ * 800-90 Section 10.1 Table 2).
+ */
+#define HMAC_DRBG_SHA512 HMAC_DRBG ( &sha512_algorithm, 256, 512 )
+
+/** Underlying hash algorithm
+ *
+ * @v hmac_drbg			HMAC_DRBG algorithm
+ * @ret hash			Underlying hash algorithm
+ */
+#define HMAC_DRBG_HASH( hmac_drbg ) \
+	HMAC_DRBG_EXTRACT_HASH hmac_drbg
+#define HMAC_DRBG_EXTRACT_HASH( hash, max_security_strength, out_len_bits ) \
+	hash
+
+/** Maximum security strength
+ *
+ * @v hmac_drbg			HMAC_DRBG algorithm
+ * @ret max_security_strength	Maxmimum security strength
+ */
+#define HMAC_DRBG_MAX_SECURITY_STRENGTH( hmac_drbg ) \
+	HMAC_DRBG_EXTRACT_MAX_SECURITY_STRENGTH hmac_drbg
+#define HMAC_DRBG_EXTRACT_MAX_SECURITY_STRENGTH( hash, max_security_strength, \
+						 out_len_bits ) \
+	max_security_strength
+
+/** Output block length, in bits
+ *
+ * @v hmac_drbg			HMAC_DRBG algorithm
+ * @ret out_len_bits		Output block length, in bits
+ */
+#define HMAC_DRBG_OUTLEN_BITS( hmac_drbg ) \
+	HMAC_DRBG_EXTRACT_OUTLEN_BITS hmac_drbg
+#define HMAC_DRBG_EXTRACT_OUTLEN_BITS( hash, max_security_strength, \
+				       out_len_bits ) \
+	out_len_bits
+
+/** Output block length, in bytes
+ *
+ * @v hmac_drbg			HMAC_DRBG algorithm
+ * @ret out_len_bytes		Output block length, in bytes
+ */
+#define HMAC_DRBG_OUTLEN_BYTES( hmac_drbg ) \
+	( HMAC_DRBG_OUTLEN_BITS ( hmac_drbg ) / 8 )
+
+/** Maximum output block length, in bytes
+ *
+ * The maximum output block length for HMAC_DRBG is 512 bits for
+ * SHA-512 according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2
+ * (NIST SP 800-90 Section 10.1 Table 2).
+ */
+#define HMAC_DRBG_MAX_OUTLEN_BYTES HMAC_DRBG_OUTLEN_BYTES ( HMAC_DRBG_SHA512 )
 
 /** Required minimum entropy for instantiate and reseed
  *
+ * @v security_strength		Security strength
+ * @ret min_entropy		Required minimum entropy
+ *
  * The minimum required entropy for HMAC_DRBG is equal to the security
  * strength according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2
  * (NIST SP 800-90 Section 10.1 Table 2).
  */
-#define HMAC_DRBG_MIN_ENTROPY_BYTES ( HMAC_DRBG_SECURITY_STRENGTH / 8 )
+#define HMAC_DRBG_MIN_ENTROPY( security_strength ) (security_strength)
 
 /** Minimum entropy input length
  *
+ * @v security_strength		Security strength
+ * @ret min_entropy_len_bytes	Required minimum entropy length (in bytes)
+ *
  * The minimum entropy input length for HMAC_DRBG is equal to the
  * security strength according to ANS X9.82 Part 3-2007 Section 10.2.1
  * Table 2 (NIST SP 800-90 Section 10.1 Table 2).
  */
-#define HMAC_DRBG_MIN_ENTROPY_LEN_BYTES ( HMAC_DRBG_SECURITY_STRENGTH / 8 )
+#define HMAC_DRBG_MIN_ENTROPY_LEN_BYTES( security_strength ) \
+	( (security_strength) / 8 )
 
 /** Maximum entropy input length
  *
@@ -95,19 +195,16 @@ FILE_LICENCE ( GPL2_OR_LATER );
 
 /** Reseed interval
  *
- * The maximum permitted reseed interval for HMAC_DRBG using SHA-1 is
- * 2^48 according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2
- * (NIST SP 800-90 Section 10.1 Table 2).  However, the sample
- * implementation given in ANS X9.82 Part 3-2007 Annex E.2.1 (NIST SP
- * 800-90 Appendix F.2) shows a reseed interval of 10000.
+ * The maximum permitted reseed interval for HMAC_DRBG is 2^48
+ * according to ANS X9.82 Part 3-2007 Section 10.2.1 Table 2 (NIST SP
+ * 800-90 Section 10.1 Table 2).  However, the sample implementation
+ * given in ANS X9.82 Part 3-2007 Annex E.2.1 (NIST SP 800-90 Appendix
+ * F.2) shows a reseed interval of 10000.
  *
  * We choose a very conservative reseed interval.
  */
 #define HMAC_DRBG_RESEED_INTERVAL 1024
 
-/** Underlying hash algorithm context size (in bytes) */
-#define HMAC_DRBG_CTX_SIZE SHA1_CTX_SIZE
-
 /**
  * HMAC_DRBG internal state
  *
@@ -124,13 +221,13 @@ struct hmac_drbg_state {
 	 * "The value V of outlen bits, which is updated each time
 	 * another outlen bits of output are produced"
 	 */
-	uint8_t value[HMAC_DRBG_OUTLEN_BYTES];
+	uint8_t value[HMAC_DRBG_MAX_OUTLEN_BYTES];
 	/** Current key
 	 *
 	 * "The outlen-bit Key, which is updated at least once each
 	 * time that the DRBG mechanism generates pseudorandom bits."
 	 */
-	uint8_t key[HMAC_DRBG_OUTLEN_BYTES];
+	uint8_t key[HMAC_DRBG_MAX_OUTLEN_BYTES];
 	/** Reseed counter
 	 *
 	 * "A counter (reseed_counter) that indicates the number of
@@ -140,13 +237,16 @@ struct hmac_drbg_state {
 	unsigned int reseed_counter;
 };
 
-extern void hmac_drbg_instantiate ( struct hmac_drbg_state *state,
+extern void hmac_drbg_instantiate ( struct digest_algorithm *hash,
+				    struct hmac_drbg_state *state,
 				    const void *entropy, size_t entropy_len,
 				    const void *personal, size_t personal_len );
-extern void hmac_drbg_reseed ( struct hmac_drbg_state *state,
+extern void hmac_drbg_reseed ( struct digest_algorithm *hash,
+			       struct hmac_drbg_state *state,
 			       const void *entropy, size_t entropy_len,
 			       const void *additional, size_t additional_len );
-extern int hmac_drbg_generate ( struct hmac_drbg_state *state,
+extern int hmac_drbg_generate ( struct digest_algorithm *hash,
+				struct hmac_drbg_state *state,
 				const void *additional, size_t additional_len,
 				void *data, size_t len );