2
0

drbg_hmac.c 8.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270
  1. /*
  2. * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdlib.h>
  10. #include <string.h>
  11. #include <openssl/crypto.h>
  12. #include <openssl/err.h>
  13. #include <openssl/rand.h>
  14. #include "internal/thread_once.h"
  15. #include "prov/providercommon.h"
  16. #include "rand_local.h"
  17. /*
  18. * Called twice by SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process.
  19. *
  20. * hmac is an object that holds the input/output Key and Value (K and V).
  21. * inbyte is 0x00 on the first call and 0x01 on the second call.
  22. * in1, in2, in3 are optional inputs that can be NULL.
  23. * in1len, in2len, in3len are the lengths of the input buffers.
  24. *
  25. * The returned K,V is:
  26. * hmac->K = HMAC(hmac->K, hmac->V || inbyte || [in1] || [in2] || [in3])
  27. * hmac->V = HMAC(hmac->K, hmac->V)
  28. *
  29. * Returns zero if an error occurs otherwise it returns 1.
  30. */
  31. static int do_hmac(RAND_DRBG_HMAC *hmac, unsigned char inbyte,
  32. const unsigned char *in1, size_t in1len,
  33. const unsigned char *in2, size_t in2len,
  34. const unsigned char *in3, size_t in3len)
  35. {
  36. HMAC_CTX *ctx = hmac->ctx;
  37. return HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
  38. /* K = HMAC(K, V || inbyte || [in1] || [in2] || [in3]) */
  39. && HMAC_Update(ctx, hmac->V, hmac->blocklen)
  40. && HMAC_Update(ctx, &inbyte, 1)
  41. && (in1 == NULL || in1len == 0 || HMAC_Update(ctx, in1, in1len))
  42. && (in2 == NULL || in2len == 0 || HMAC_Update(ctx, in2, in2len))
  43. && (in3 == NULL || in3len == 0 || HMAC_Update(ctx, in3, in3len))
  44. && HMAC_Final(ctx, hmac->K, NULL)
  45. /* V = HMAC(K, V) */
  46. && HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
  47. && HMAC_Update(ctx, hmac->V, hmac->blocklen)
  48. && HMAC_Final(ctx, hmac->V, NULL);
  49. }
  50. /*
  51. * SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process
  52. *
  53. *
  54. * Updates the drbg objects Key(K) and Value(V) using the following algorithm:
  55. * K,V = do_hmac(hmac, 0, in1, in2, in3)
  56. * if (any input is not NULL)
  57. * K,V = do_hmac(hmac, 1, in1, in2, in3)
  58. *
  59. * where in1, in2, in3 are optional input buffers that can be NULL.
  60. * in1len, in2len, in3len are the lengths of the input buffers.
  61. *
  62. * Returns zero if an error occurs otherwise it returns 1.
  63. */
  64. static int drbg_hmac_update(RAND_DRBG *drbg,
  65. const unsigned char *in1, size_t in1len,
  66. const unsigned char *in2, size_t in2len,
  67. const unsigned char *in3, size_t in3len)
  68. {
  69. RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
  70. /* (Steps 1-2) K = HMAC(K, V||0x00||provided_data). V = HMAC(K,V) */
  71. if (!do_hmac(hmac, 0x00, in1, in1len, in2, in2len, in3, in3len))
  72. return 0;
  73. /* (Step 3) If provided_data == NULL then return (K,V) */
  74. if (in1len == 0 && in2len == 0 && in3len == 0)
  75. return 1;
  76. /* (Steps 4-5) K = HMAC(K, V||0x01||provided_data). V = HMAC(K,V) */
  77. return do_hmac(hmac, 0x01, in1, in1len, in2, in2len, in3, in3len);
  78. }
  79. /*
  80. * SP800-90Ar1 10.1.2.3 HMAC_DRBG_Instantiate_Process:
  81. *
  82. * This sets the drbg Key (K) to all zeros, and Value (V) to all 1's.
  83. * and then calls (K,V) = drbg_hmac_update() with input parameters:
  84. * ent = entropy data (Can be NULL) of length ent_len.
  85. * nonce = nonce data (Can be NULL) of length nonce_len.
  86. * pstr = personalization data (Can be NULL) of length pstr_len.
  87. *
  88. * Returns zero if an error occurs otherwise it returns 1.
  89. */
  90. static int drbg_hmac_instantiate(RAND_DRBG *drbg,
  91. const unsigned char *ent, size_t ent_len,
  92. const unsigned char *nonce, size_t nonce_len,
  93. const unsigned char *pstr, size_t pstr_len)
  94. {
  95. RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
  96. /* (Step 2) Key = 0x00 00...00 */
  97. memset(hmac->K, 0x00, hmac->blocklen);
  98. /* (Step 3) V = 0x01 01...01 */
  99. memset(hmac->V, 0x01, hmac->blocklen);
  100. /* (Step 4) (K,V) = HMAC_DRBG_Update(entropy||nonce||pers string, K, V) */
  101. return drbg_hmac_update(drbg, ent, ent_len, nonce, nonce_len, pstr,
  102. pstr_len);
  103. }
  104. /*
  105. * SP800-90Ar1 10.1.2.4 HMAC_DRBG_Reseed_Process:
  106. *
  107. * Reseeds the drbg's Key (K) and Value (V) by calling
  108. * (K,V) = drbg_hmac_update() with the following input parameters:
  109. * ent = entropy input data (Can be NULL) of length ent_len.
  110. * adin = additional input data (Can be NULL) of length adin_len.
  111. *
  112. * Returns zero if an error occurs otherwise it returns 1.
  113. */
  114. static int drbg_hmac_reseed(RAND_DRBG *drbg,
  115. const unsigned char *ent, size_t ent_len,
  116. const unsigned char *adin, size_t adin_len)
  117. {
  118. /* (Step 2) (K,V) = HMAC_DRBG_Update(entropy||additional_input, K, V) */
  119. return drbg_hmac_update(drbg, ent, ent_len, adin, adin_len, NULL, 0);
  120. }
  121. /*
  122. * SP800-90Ar1 10.1.2.5 HMAC_DRBG_Generate_Process:
  123. *
  124. * Generates pseudo random bytes and updates the internal K,V for the drbg.
  125. * out is a buffer to fill with outlen bytes of pseudo random data.
  126. * adin is an additional_input string of size adin_len that may be NULL.
  127. *
  128. * Returns zero if an error occurs otherwise it returns 1.
  129. */
  130. static int drbg_hmac_generate(RAND_DRBG *drbg,
  131. unsigned char *out, size_t outlen,
  132. const unsigned char *adin, size_t adin_len)
  133. {
  134. RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
  135. HMAC_CTX *ctx = hmac->ctx;
  136. const unsigned char *temp = hmac->V;
  137. /* (Step 2) if adin != NULL then (K,V) = HMAC_DRBG_Update(adin, K, V) */
  138. if (adin != NULL
  139. && adin_len > 0
  140. && !drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0))
  141. return 0;
  142. /*
  143. * (Steps 3-5) temp = NULL
  144. * while (len(temp) < outlen) {
  145. * V = HMAC(K, V)
  146. * temp = temp || V
  147. * }
  148. */
  149. for (;;) {
  150. if (!HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
  151. || !HMAC_Update(ctx, temp, hmac->blocklen))
  152. return 0;
  153. if (outlen > hmac->blocklen) {
  154. if (!HMAC_Final(ctx, out, NULL))
  155. return 0;
  156. temp = out;
  157. } else {
  158. if (!HMAC_Final(ctx, hmac->V, NULL))
  159. return 0;
  160. memcpy(out, hmac->V, outlen);
  161. break;
  162. }
  163. out += hmac->blocklen;
  164. outlen -= hmac->blocklen;
  165. }
  166. /* (Step 6) (K,V) = HMAC_DRBG_Update(adin, K, V) */
  167. if (!drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0))
  168. return 0;
  169. return 1;
  170. }
  171. static int drbg_hmac_uninstantiate(RAND_DRBG *drbg)
  172. {
  173. EVP_MD_free(drbg->data.hmac.md);
  174. HMAC_CTX_free(drbg->data.hmac.ctx);
  175. OPENSSL_cleanse(&drbg->data.hmac, sizeof(drbg->data.hmac));
  176. return 1;
  177. }
  178. static RAND_DRBG_METHOD drbg_hmac_meth = {
  179. drbg_hmac_instantiate,
  180. drbg_hmac_reseed,
  181. drbg_hmac_generate,
  182. drbg_hmac_uninstantiate
  183. };
  184. int drbg_hmac_init(RAND_DRBG *drbg)
  185. {
  186. EVP_MD *md = NULL;
  187. RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
  188. /*
  189. * Confirm digest is allowed. Outside FIPS_MODE we allow all non-legacy
  190. * digests. Inside FIPS_MODE we only allow approved digests. Also no XOF
  191. * digests (such as SHAKE).
  192. */
  193. switch (drbg->type) {
  194. default:
  195. return 0;
  196. case NID_sha1:
  197. case NID_sha224:
  198. case NID_sha256:
  199. case NID_sha384:
  200. case NID_sha512:
  201. case NID_sha512_224:
  202. case NID_sha512_256:
  203. case NID_sha3_224:
  204. case NID_sha3_256:
  205. case NID_sha3_384:
  206. case NID_sha3_512:
  207. #ifndef FIPS_MODE
  208. case NID_blake2b512:
  209. case NID_blake2s256:
  210. case NID_sm3:
  211. #endif
  212. break;
  213. }
  214. md = EVP_MD_fetch(drbg->libctx, ossl_prov_util_nid_to_name(drbg->type), "");
  215. if (md == NULL)
  216. return 0;
  217. drbg->meth = &drbg_hmac_meth;
  218. if (hmac->ctx == NULL) {
  219. hmac->ctx = HMAC_CTX_new();
  220. if (hmac->ctx == NULL) {
  221. EVP_MD_free(md);
  222. return 0;
  223. }
  224. }
  225. /* These are taken from SP 800-90 10.1 Table 2 */
  226. EVP_MD_free(hmac->md);
  227. hmac->md = md;
  228. hmac->blocklen = EVP_MD_size(md);
  229. /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */
  230. drbg->strength = 64 * (int)(hmac->blocklen >> 3);
  231. if (drbg->strength > 256)
  232. drbg->strength = 256;
  233. drbg->seedlen = hmac->blocklen;
  234. drbg->min_entropylen = drbg->strength / 8;
  235. drbg->max_entropylen = DRBG_MAX_LENGTH;
  236. drbg->min_noncelen = drbg->min_entropylen / 2;
  237. drbg->max_noncelen = DRBG_MAX_LENGTH;
  238. drbg->max_perslen = DRBG_MAX_LENGTH;
  239. drbg->max_adinlen = DRBG_MAX_LENGTH;
  240. /* Maximum number of bits per request = 2^19 = 2^16 bytes*/
  241. drbg->max_request = 1 << 16;
  242. return 1;
  243. }