Etusivu Tutki Apua
Kirjaudu sisään
OWEALs
/
openssl
peilaus alkaen git://git.openssl.org/openssl.git
2
0
Fork 0
Tiedostot Ongelmat 1 Wiki
Puu: 3a561b06d9
Haarat Tagit
openssl
/
crypto
/
rand
/
drbg_hmac.c

drbg_hmac.c 8.1 KB
Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238 
  1. /*
    2. 

  2.  * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3.  *
    4. 

  4.  * Licensed under the Apache License 2.0 (the "License").  You may not use
    5. 

  5.  * this file except in compliance with the License.  You can obtain a copy
    6. 

  6.  * in the file LICENSE in the source distribution or at
    7. 

  7.  * https://www.openssl.org/source/license.html
    8. 

  8.  */
    9. 

  9. 

  10. #include <stdlib.h>
    11. 

  11. #include <string.h>
    12. 

  12. #include <openssl/crypto.h>
    13. 

  13. #include <openssl/err.h>
    14. 

  14. #include <openssl/rand.h>
    15. 

  15. #include "internal/thread_once.h"
    16. 

  16. #include "rand_lcl.h"
    17. 

  17. 

  18. /*
    19. 

  19.  * Called twice by SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process.
    20. 

  20.  *
    21. 

  21.  * hmac is an object that holds the input/output Key and Value (K and V).
    22. 

  22.  * inbyte is 0x00 on the first call and 0x01 on the second call.
    23. 

  23.  * in1, in2, in3 are optional inputs that can be NULL.
    24. 

  24.  * in1len, in2len, in3len are the lengths of the input buffers.
    25. 

  25.  *
    26. 

  26.  * The returned K,V is:
    27. 

  27.  *   hmac->K = HMAC(hmac->K, hmac->V || inbyte || [in1] || [in2] || [in3])
    28. 

  28.  *   hmac->V = HMAC(hmac->K, hmac->V)
    29. 

  29.  *
    30. 

  30.  * Returns zero if an error occurs otherwise it returns 1.
    31. 

  31.  */
    32. 

  32. static int do_hmac(RAND_DRBG_HMAC *hmac, unsigned char inbyte,
    33. 

  33.                    const unsigned char *in1, size_t in1len,
    34. 

  34.                    const unsigned char *in2, size_t in2len,
    35. 

  35.                    const unsigned char *in3, size_t in3len)
    36. 

  36. {
    37. 

  37.     HMAC_CTX *ctx = hmac->ctx;
    38. 

  38. 

  39.     return HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
    40. 

  40.            /* K = HMAC(K, V || inbyte || [in1] || [in2] || [in3]) */
    41. 

  41.            && HMAC_Update(ctx, hmac->V, hmac->blocklen)
    42. 

  42.            && HMAC_Update(ctx, &inbyte, 1)
    43. 

  43.            && (in1 == NULL || in1len == 0 || HMAC_Update(ctx, in1, in1len))
    44. 

  44.            && (in2 == NULL || in2len == 0 || HMAC_Update(ctx, in2, in2len))
    45. 

  45.            && (in3 == NULL || in3len == 0 || HMAC_Update(ctx, in3, in3len))
    46. 

  46.            && HMAC_Final(ctx, hmac->K, NULL)
    47. 

  47.            /* V = HMAC(K, V) */
    48. 

  48.            && HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
    49. 

  49.            && HMAC_Update(ctx, hmac->V, hmac->blocklen)
    50. 

  50.            && HMAC_Final(ctx, hmac->V, NULL);
    51. 

  51. }
    52. 

  52. 

  53. /*
    54. 

  54.  * SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process
    55. 

  55.  *
    56. 

  56.  *
    57. 

  57.  * Updates the drbg objects Key(K) and Value(V) using the following algorithm:
    58. 

  58.  *   K,V = do_hmac(hmac, 0, in1, in2, in3)
    59. 

  59.  *   if (any input is not NULL)
    60. 

  60.  *     K,V = do_hmac(hmac, 1, in1, in2, in3)
    61. 

  61.  *
    62. 

  62.  * where in1, in2, in3 are optional input buffers that can be NULL.
    63. 

  63.  *       in1len, in2len, in3len are the lengths of the input buffers.
    64. 

  64.  *
    65. 

  65.  * Returns zero if an error occurs otherwise it returns 1.
    66. 

  66.  */
    67. 

  67. static int drbg_hmac_update(RAND_DRBG *drbg,
    68. 

  68.                             const unsigned char *in1, size_t in1len,
    69. 

  69.                             const unsigned char *in2, size_t in2len,
    70. 

  70.                             const unsigned char *in3, size_t in3len)
    71. 

  71. {
    72. 

  72.     RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
    73. 

  73. 

  74.     /* (Steps 1-2) K = HMAC(K, V||0x00||provided_data). V = HMAC(K,V) */
    75. 

  75.     if (!do_hmac(hmac, 0x00, in1, in1len, in2, in2len, in3, in3len))
    76. 

  76.         return 0;
    77. 

  77.     /* (Step 3) If provided_data == NULL then return (K,V) */
    78. 

  78.     if (in1len == 0 && in2len == 0 && in3len == 0)
    79. 

  79.         return 1;
    80. 

  80.     /* (Steps 4-5) K = HMAC(K, V||0x01||provided_data). V = HMAC(K,V) */
    81. 

  81.     return do_hmac(hmac, 0x01, in1, in1len, in2, in2len, in3, in3len);
    82. 

  82. }
    83. 

  83. 

  84. /*
    85. 

  85.  * SP800-90Ar1 10.1.2.3 HMAC_DRBG_Instantiate_Process:
    86. 

  86.  *
    87. 

  87.  * This sets the drbg Key (K) to all zeros, and Value (V) to all 1's.
    88. 

  88.  * and then calls (K,V) = drbg_hmac_update() with input parameters:
    89. 

  89.  *   ent = entropy data (Can be NULL) of length ent_len.
    90. 

  90.  *   nonce = nonce data (Can be NULL) of length nonce_len.
    91. 

  91.  *   pstr = personalization data (Can be NULL) of length pstr_len.
    92. 

  92.  *
    93. 

  93.  * Returns zero if an error occurs otherwise it returns 1.
    94. 

  94.  */
    95. 

  95. static int drbg_hmac_instantiate(RAND_DRBG *drbg,
    96. 

  96.                                  const unsigned char *ent, size_t ent_len,
    97. 

  97.                                  const unsigned char *nonce, size_t nonce_len,
    98. 

  98.                                  const unsigned char *pstr, size_t pstr_len)
    99. 

  99. {
    100. 

  100.     RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
    101. 

  101. 

  102.     /* (Step 2) Key = 0x00 00...00 */
    103. 

  103.     memset(hmac->K, 0x00, hmac->blocklen);
    104. 

  104.     /* (Step 3) V = 0x01 01...01 */
    105. 

  105.     memset(hmac->V, 0x01, hmac->blocklen);
    106. 

  106.     /* (Step 4) (K,V) = HMAC_DRBG_Update(entropy||nonce||pers string, K, V) */
    107. 

  107.     return drbg_hmac_update(drbg, ent, ent_len, nonce, nonce_len, pstr,
    108. 

  108.                             pstr_len);
    109. 

  109. }
    110. 

  110. 

  111. /*
    112. 

  112.  * SP800-90Ar1 10.1.2.4 HMAC_DRBG_Reseed_Process:
    113. 

  113.  *
    114. 

  114.  * Reseeds the drbg's Key (K) and Value (V) by calling
    115. 

  115.  * (K,V) = drbg_hmac_update() with the following input parameters:
    116. 

  116.  *   ent = entropy input data (Can be NULL) of length ent_len.
    117. 

  117.  *   adin = additional input data (Can be NULL) of length adin_len.
    118. 

  118.  *
    119. 

  119.  * Returns zero if an error occurs otherwise it returns 1.
    120. 

  120.  */
    121. 

  121. static int drbg_hmac_reseed(RAND_DRBG *drbg,
    122. 

  122.                             const unsigned char *ent, size_t ent_len,
    123. 

  123.                             const unsigned char *adin, size_t adin_len)
    124. 

  124. {
    125. 

  125.     /* (Step 2) (K,V) = HMAC_DRBG_Update(entropy||additional_input, K, V) */
    126. 

  126.     return drbg_hmac_update(drbg, ent, ent_len, adin, adin_len, NULL, 0);
    127. 

  127. }
    128. 

  128. 

  129. /*
    130. 

  130.  * SP800-90Ar1 10.1.2.5 HMAC_DRBG_Generate_Process:
    131. 

  131.  *
    132. 

  132.  * Generates pseudo random bytes and updates the internal K,V for the drbg.
    133. 

  133.  * out is a buffer to fill with outlen bytes of pseudo random data.
    134. 

  134.  * adin is an additional_input string of size adin_len that may be NULL.
    135. 

  135.  *
    136. 

  136.  * Returns zero if an error occurs otherwise it returns 1.
    137. 

  137.  */
    138. 

  138. static int drbg_hmac_generate(RAND_DRBG *drbg,
    139. 

  139.                               unsigned char *out, size_t outlen,
    140. 

  140.                               const unsigned char *adin, size_t adin_len)
    141. 

  141. {
    142. 

  142.     RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
    143. 

  143.     HMAC_CTX *ctx = hmac->ctx;
    144. 

  144.     const unsigned char *temp = hmac->V;
    145. 

  145. 

  146.     /* (Step 2) if adin != NULL then (K,V) = HMAC_DRBG_Update(adin, K, V) */
    147. 

  147.     if (adin != NULL
    148. 

  148.             && adin_len > 0
    149. 

  149.             && !drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0))
    150. 

  150.         return 0;
    151. 

  151. 

  152.     /*
    153. 

  153.      * (Steps 3-5) temp = NULL
    154. 

  154.      *             while (len(temp) < outlen) {
    155. 

  155.      *                 V = HMAC(K, V)
    156. 

  156.      *                 temp = temp || V
    157. 

  157.      *             }
    158. 

  158.      */
    159. 

  159.     for (;;) {
    160. 

  160.         if (!HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
    161. 

  161.                 || !HMAC_Update(ctx, temp, hmac->blocklen))
    162. 

  162.             return 0;
    163. 

  163. 

  164.         if (outlen > hmac->blocklen) {
    165. 

  165.             if (!HMAC_Final(ctx, out, NULL))
    166. 

  166.                 return 0;
    167. 

  167.             temp = out;
    168. 

  168.         } else {
    169. 

  169.             if (!HMAC_Final(ctx, hmac->V, NULL))
    170. 

  170.                 return 0;
    171. 

  171.             memcpy(out, hmac->V, outlen);
    172. 

  172.             break;
    173. 

  173.         }
    174. 

  174.         out += hmac->blocklen;
    175. 

  175.         outlen -= hmac->blocklen;
    176. 

  176.     }
    177. 

  177.     /* (Step 6) (K,V) = HMAC_DRBG_Update(adin, K, V) */
    178. 

  178.     if (!drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0))
    179. 

  179.         return 0;
    180. 

  180. 

  181.     return 1;
    182. 

  182. }
    183. 

  183. 

  184. static int drbg_hmac_uninstantiate(RAND_DRBG *drbg)
    185. 

  185. {
    186. 

  186.     HMAC_CTX_free(drbg->data.hmac.ctx);
    187. 

  187.     OPENSSL_cleanse(&drbg->data.hmac, sizeof(drbg->data.hmac));
    188. 

  188.     return 1;
    189. 

  189. }
    190. 

  190. 

  191. static RAND_DRBG_METHOD drbg_hmac_meth = {
    192. 

  192.     drbg_hmac_instantiate,
    193. 

  193.     drbg_hmac_reseed,
    194. 

  194.     drbg_hmac_generate,
    195. 

  195.     drbg_hmac_uninstantiate
    196. 

  196. };
    197. 

  197. 

  198. int drbg_hmac_init(RAND_DRBG *drbg)
    199. 

  199. {
    200. 

  200.     const EVP_MD *md = NULL;
    201. 

  201.     RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
    202. 

  202. 

  203.     /* Any approved digest is allowed - assume we pass digest (not NID_hmac*) */
    204. 

  204.     md = EVP_get_digestbynid(drbg->type);
    205. 

  205.     if (md == NULL)
    206. 

  206.         return 0;
    207. 

  207. 

  208.     drbg->meth = &drbg_hmac_meth;
    209. 

  209. 

  210.     if (hmac->ctx == NULL) {
    211. 

  211.         hmac->ctx = HMAC_CTX_new();
    212. 

  212.         if (hmac->ctx == NULL)
    213. 

  213.             return 0;
    214. 

  214.     }
    215. 

  215. 

  216.     /* These are taken from SP 800-90 10.1 Table 2 */
    217. 

  217.     hmac->md = md;
    218. 

  218.     hmac->blocklen = EVP_MD_size(md);
    219. 

  219.     /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */
    220. 

  220.     drbg->strength = 64 * (int)(hmac->blocklen >> 3);
    221. 

  221.     if (drbg->strength > 256)
    222. 

  222.         drbg->strength = 256;
    223. 

  223.     drbg->seedlen = hmac->blocklen;
    224. 

  224. 

  225.     drbg->min_entropylen = drbg->strength / 8;
    226. 

  226.     drbg->max_entropylen = DRBG_MAX_LENGTH;
    227. 

  227. 

  228.     drbg->min_noncelen = drbg->min_entropylen / 2;
    229. 

  229.     drbg->max_noncelen = DRBG_MAX_LENGTH;
    230. 

  230. 

  231.     drbg->max_perslen = DRBG_MAX_LENGTH;
    232. 

  232.     drbg->max_adinlen = DRBG_MAX_LENGTH;
    233. 

  233. 

  234.     /* Maximum number of bits per request = 2^19 = 2^16 bytes*/
    235. 

  235.     drbg->max_request = 1 << 16;
    236. 

  236. 

  237.     return 1;
    238. 

  238. }
    239.