drbg_hmac.c 8.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238
  1. /*
  2. * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdlib.h>
  10. #include <string.h>
  11. #include <openssl/crypto.h>
  12. #include <openssl/err.h>
  13. #include <openssl/rand.h>
  14. #include "internal/thread_once.h"
  15. #include "rand_lcl.h"
  16. /*
  17. * Called twice by SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process.
  18. *
  19. * hmac is an object that holds the input/output Key and Value (K and V).
  20. * inbyte is 0x00 on the first call and 0x01 on the second call.
  21. * in1, in2, in3 are optional inputs that can be NULL.
  22. * in1len, in2len, in3len are the lengths of the input buffers.
  23. *
  24. * The returned K,V is:
  25. * hmac->K = HMAC(hmac->K, hmac->V || inbyte || [in1] || [in2] || [in3])
  26. * hmac->V = HMAC(hmac->K, hmac->V)
  27. *
  28. * Returns zero if an error occurs otherwise it returns 1.
  29. */
  30. static int do_hmac(RAND_DRBG_HMAC *hmac, unsigned char inbyte,
  31. const unsigned char *in1, size_t in1len,
  32. const unsigned char *in2, size_t in2len,
  33. const unsigned char *in3, size_t in3len)
  34. {
  35. HMAC_CTX *ctx = hmac->ctx;
  36. return HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
  37. /* K = HMAC(K, V || inbyte || [in1] || [in2] || [in3]) */
  38. && HMAC_Update(ctx, hmac->V, hmac->blocklen)
  39. && HMAC_Update(ctx, &inbyte, 1)
  40. && (in1 == NULL || in1len == 0 || HMAC_Update(ctx, in1, in1len))
  41. && (in2 == NULL || in2len == 0 || HMAC_Update(ctx, in2, in2len))
  42. && (in3 == NULL || in3len == 0 || HMAC_Update(ctx, in3, in3len))
  43. && HMAC_Final(ctx, hmac->K, NULL)
  44. /* V = HMAC(K, V) */
  45. && HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
  46. && HMAC_Update(ctx, hmac->V, hmac->blocklen)
  47. && HMAC_Final(ctx, hmac->V, NULL);
  48. }
  49. /*
  50. * SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process
  51. *
  52. *
  53. * Updates the drbg objects Key(K) and Value(V) using the following algorithm:
  54. * K,V = do_hmac(hmac, 0, in1, in2, in3)
  55. * if (any input is not NULL)
  56. * K,V = do_hmac(hmac, 1, in1, in2, in3)
  57. *
  58. * where in1, in2, in3 are optional input buffers that can be NULL.
  59. * in1len, in2len, in3len are the lengths of the input buffers.
  60. *
  61. * Returns zero if an error occurs otherwise it returns 1.
  62. */
  63. static int drbg_hmac_update(RAND_DRBG *drbg,
  64. const unsigned char *in1, size_t in1len,
  65. const unsigned char *in2, size_t in2len,
  66. const unsigned char *in3, size_t in3len)
  67. {
  68. RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
  69. /* (Steps 1-2) K = HMAC(K, V||0x00||provided_data). V = HMAC(K,V) */
  70. if (!do_hmac(hmac, 0x00, in1, in1len, in2, in2len, in3, in3len))
  71. return 0;
  72. /* (Step 3) If provided_data == NULL then return (K,V) */
  73. if (in1len == 0 && in2len == 0 && in3len == 0)
  74. return 1;
  75. /* (Steps 4-5) K = HMAC(K, V||0x01||provided_data). V = HMAC(K,V) */
  76. return do_hmac(hmac, 0x01, in1, in1len, in2, in2len, in3, in3len);
  77. }
  78. /*
  79. * SP800-90Ar1 10.1.2.3 HMAC_DRBG_Instantiate_Process:
  80. *
  81. * This sets the drbg Key (K) to all zeros, and Value (V) to all 1's.
  82. * and then calls (K,V) = drbg_hmac_update() with input parameters:
  83. * ent = entropy data (Can be NULL) of length ent_len.
  84. * nonce = nonce data (Can be NULL) of length nonce_len.
  85. * pstr = personalization data (Can be NULL) of length pstr_len.
  86. *
  87. * Returns zero if an error occurs otherwise it returns 1.
  88. */
  89. static int drbg_hmac_instantiate(RAND_DRBG *drbg,
  90. const unsigned char *ent, size_t ent_len,
  91. const unsigned char *nonce, size_t nonce_len,
  92. const unsigned char *pstr, size_t pstr_len)
  93. {
  94. RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
  95. /* (Step 2) Key = 0x00 00...00 */
  96. memset(hmac->K, 0x00, hmac->blocklen);
  97. /* (Step 3) V = 0x01 01...01 */
  98. memset(hmac->V, 0x01, hmac->blocklen);
  99. /* (Step 4) (K,V) = HMAC_DRBG_Update(entropy||nonce||pers string, K, V) */
  100. return drbg_hmac_update(drbg, ent, ent_len, nonce, nonce_len, pstr,
  101. pstr_len);
  102. }
  103. /*
  104. * SP800-90Ar1 10.1.2.4 HMAC_DRBG_Reseed_Process:
  105. *
  106. * Reseeds the drbg's Key (K) and Value (V) by calling
  107. * (K,V) = drbg_hmac_update() with the following input parameters:
  108. * ent = entropy input data (Can be NULL) of length ent_len.
  109. * adin = additional input data (Can be NULL) of length adin_len.
  110. *
  111. * Returns zero if an error occurs otherwise it returns 1.
  112. */
  113. static int drbg_hmac_reseed(RAND_DRBG *drbg,
  114. const unsigned char *ent, size_t ent_len,
  115. const unsigned char *adin, size_t adin_len)
  116. {
  117. /* (Step 2) (K,V) = HMAC_DRBG_Update(entropy||additional_input, K, V) */
  118. return drbg_hmac_update(drbg, ent, ent_len, adin, adin_len, NULL, 0);
  119. }
  120. /*
  121. * SP800-90Ar1 10.1.2.5 HMAC_DRBG_Generate_Process:
  122. *
  123. * Generates pseudo random bytes and updates the internal K,V for the drbg.
  124. * out is a buffer to fill with outlen bytes of pseudo random data.
  125. * adin is an additional_input string of size adin_len that may be NULL.
  126. *
  127. * Returns zero if an error occurs otherwise it returns 1.
  128. */
  129. static int drbg_hmac_generate(RAND_DRBG *drbg,
  130. unsigned char *out, size_t outlen,
  131. const unsigned char *adin, size_t adin_len)
  132. {
  133. RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
  134. HMAC_CTX *ctx = hmac->ctx;
  135. const unsigned char *temp = hmac->V;
  136. /* (Step 2) if adin != NULL then (K,V) = HMAC_DRBG_Update(adin, K, V) */
  137. if (adin != NULL
  138. && adin_len > 0
  139. && !drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0))
  140. return 0;
  141. /*
  142. * (Steps 3-5) temp = NULL
  143. * while (len(temp) < outlen) {
  144. * V = HMAC(K, V)
  145. * temp = temp || V
  146. * }
  147. */
  148. for (;;) {
  149. if (!HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
  150. || !HMAC_Update(ctx, temp, hmac->blocklen))
  151. return 0;
  152. if (outlen > hmac->blocklen) {
  153. if (!HMAC_Final(ctx, out, NULL))
  154. return 0;
  155. temp = out;
  156. } else {
  157. if (!HMAC_Final(ctx, hmac->V, NULL))
  158. return 0;
  159. memcpy(out, hmac->V, outlen);
  160. break;
  161. }
  162. out += hmac->blocklen;
  163. outlen -= hmac->blocklen;
  164. }
  165. /* (Step 6) (K,V) = HMAC_DRBG_Update(adin, K, V) */
  166. if (!drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0))
  167. return 0;
  168. return 1;
  169. }
  170. static int drbg_hmac_uninstantiate(RAND_DRBG *drbg)
  171. {
  172. HMAC_CTX_free(drbg->data.hmac.ctx);
  173. OPENSSL_cleanse(&drbg->data.hmac, sizeof(drbg->data.hmac));
  174. return 1;
  175. }
  176. static RAND_DRBG_METHOD drbg_hmac_meth = {
  177. drbg_hmac_instantiate,
  178. drbg_hmac_reseed,
  179. drbg_hmac_generate,
  180. drbg_hmac_uninstantiate
  181. };
  182. int drbg_hmac_init(RAND_DRBG *drbg)
  183. {
  184. const EVP_MD *md = NULL;
  185. RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
  186. /* Any approved digest is allowed - assume we pass digest (not NID_hmac*) */
  187. md = EVP_get_digestbynid(drbg->type);
  188. if (md == NULL)
  189. return 0;
  190. drbg->meth = &drbg_hmac_meth;
  191. if (hmac->ctx == NULL) {
  192. hmac->ctx = HMAC_CTX_new();
  193. if (hmac->ctx == NULL)
  194. return 0;
  195. }
  196. /* These are taken from SP 800-90 10.1 Table 2 */
  197. hmac->md = md;
  198. hmac->blocklen = EVP_MD_size(md);
  199. /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */
  200. drbg->strength = 64 * (int)(hmac->blocklen >> 3);
  201. if (drbg->strength > 256)
  202. drbg->strength = 256;
  203. drbg->seedlen = hmac->blocklen;
  204. drbg->min_entropylen = drbg->strength / 8;
  205. drbg->max_entropylen = DRBG_MAX_LENGTH;
  206. drbg->min_noncelen = drbg->min_entropylen / 2;
  207. drbg->max_noncelen = DRBG_MAX_LENGTH;
  208. drbg->max_perslen = DRBG_MAX_LENGTH;
  209. drbg->max_adinlen = DRBG_MAX_LENGTH;
  210. /* Maximum number of bits per request = 2^19 = 2^16 bytes*/
  211. drbg->max_request = 1 << 16;
  212. return 1;
  213. }