2 files changed, 119 insertions, 0 deletions

diff --git a/src/include/ipxe/drbg.h b/src/include/ipxe/drbg.h
new file mode 100644
index 000000000..a09d136dd
--- /dev/null
+++ b/src/include/ipxe/drbg.h
@@ -0,0 +1,118 @@
+#ifndef _IPXE_DRBG_H
+#define _IPXE_DRBG_H
+
+/** @file
+ *
+ * DRBG mechanism
+ *
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER );
+
+#include <stdint.h>
+#include <ipxe/hmac_drbg.h>
+
+/** Maximum security strength */
+#define DRBG_MAX_SECURITY_STRENGTH HMAC_DRBG_MAX_SECURITY_STRENGTH
+
+/** Security strength */
+#define DRBG_SECURITY_STRENGTH HMAC_DRBG_SECURITY_STRENGTH
+
+/** Minimum entropy input length */
+#define DRBG_MIN_ENTROPY_LEN_BYTES HMAC_DRBG_MIN_ENTROPY_LEN_BYTES
+
+/** Maximum entropy input length */
+#define DRBG_MAX_ENTROPY_LEN_BYTES HMAC_DRBG_MAX_ENTROPY_LEN_BYTES
+
+/** Maximum personalisation string length */
+#define DRBG_MAX_PERSONAL_LEN_BYTES HMAC_DRBG_MAX_PERSONAL_LEN_BYTES
+
+/** Maximum additional input length */
+#define DRBG_MAX_ADDITIONAL_LEN_BYTES HMAC_DRBG_MAX_ADDITIONAL_LEN_BYTES
+
+/** Maximum length of generated pseudorandom data per request */
+#define DRBG_MAX_GENERATED_LEN_BYTES HMAC_DRBG_MAX_GENERATED_LEN_BYTES
+
+/** A Deterministic Random Bit Generator */
+struct drbg_state {
+	/** Algorithm internal state */
+	struct hmac_drbg_state internal;
+	/** Reseed required flag */
+	int reseed_required;
+};
+
+/**
+ * Instantiate DRBG algorithm
+ *
+ * @v state		Algorithm state
+ * @v entropy		Entropy input
+ * @v entropy_len	Length of entropy input
+ * @v personal		Personalisation string
+ * @v personal_len	Length of personalisation string
+ *
+ * This is the Instantiate_algorithm function defined in ANS X9.82
+ * Part 3-2007 Section 9.2 (NIST SP 800-90 Section 9.1).
+ */
+static inline void drbg_instantiate_algorithm ( struct drbg_state *state,
+						const void *entropy,
+						size_t entropy_len,
+						const void *personal,
+						size_t personal_len ) {
+	hmac_drbg_instantiate ( &state->internal, entropy, entropy_len,
+				personal, personal_len );
+}
+
+/**
+ * Reseed DRBG algorithm
+ *
+ * @v state		Algorithm state
+ * @v entropy		Entropy input
+ * @v entropy_len	Length of entropy input
+ * @v additional	Additional input
+ * @v additional_len	Length of additional input
+ *
+ * This is the Reseed_algorithm function defined in ANS X9.82
+ * Part 3-2007 Section 9.3 (NIST SP 800-90 Section 9.2).
+ */
+static inline void drbg_reseed_algorithm ( struct drbg_state *state,
+					   const void *entropy,
+					   size_t entropy_len,
+					   const void *additional,
+					   size_t additional_len ) {
+	hmac_drbg_reseed ( &state->internal, entropy, entropy_len,
+			   additional, additional_len );
+}
+
+/**
+ * Generate pseudorandom bits using DRBG algorithm
+ *
+ * @v state		Algorithm state
+ * @v additional	Additional input
+ * @v additional_len	Length of additional input
+ * @v data		Output buffer
+ * @v len		Length of output buffer
+ * @ret rc		Return status code
+ *
+ * This is the Generate_algorithm function defined in ANS X9.82
+ * Part 3-2007 Section 9.4 (NIST SP 800-90 Section 9.3).
+ *
+ * Note that the only permitted error is "reseed required".
+ */
+static inline int drbg_generate_algorithm ( struct drbg_state *state,
+					    const void *additional,
+					    size_t additional_len,
+					    void *data, size_t len ) {
+	return hmac_drbg_generate ( &state->internal, additional,
+				    additional_len, data, len );
+}
+
+extern int drbg_instantiate ( struct drbg_state *state, const void *personal,
+			      size_t personal_len );
+extern int drbg_reseed ( struct drbg_state *state, const void *additional,
+			 size_t additional_len );
+extern int drbg_generate ( struct drbg_state *state, const void *additional,
+			   size_t additional_len, int prediction_resist,
+			   void *data, size_t len );
+extern void drbg_uninstantiate ( struct drbg_state *state );
+
+#endif /* _IPXE_DRBG_H */
diff --git a/src/include/ipxe/errfile.h b/src/include/ipxe/errfile.h
index 2094b78cc..8f6c36410 100644
--- a/src/include/ipxe/errfile.h
+++ b/src/include/ipxe/errfile.h
@@ -243,6 +243,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
 #define ERRFILE_prompt		      ( ERRFILE_OTHER | 0x00220000 )
 #define ERRFILE_nvo_cmd		      ( ERRFILE_OTHER | 0x00230000 )
 #define ERRFILE_hmac_drbg	      ( ERRFILE_OTHER | 0x00240000 )
+#define ERRFILE_drbg		      ( ERRFILE_OTHER | 0x00250000 )
 
 /** @} */