fips_drbg_hash.c 9.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378
  1. /* fips/rand/fips_drbg_hash.c */
  2. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  3. * project.
  4. */
  5. /* ====================================================================
  6. * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
  7. *
  8. * Redistribution and use in source and binary forms, with or without
  9. * modification, are permitted provided that the following conditions
  10. * are met:
  11. *
  12. * 1. Redistributions of source code must retain the above copyright
  13. * notice, this list of conditions and the following disclaimer.
  14. *
  15. * 2. Redistributions in binary form must reproduce the above copyright
  16. * notice, this list of conditions and the following disclaimer in
  17. * the documentation and/or other materials provided with the
  18. * distribution.
  19. *
  20. * 3. All advertising materials mentioning features or use of this
  21. * software must display the following acknowledgment:
  22. * "This product includes software developed by the OpenSSL Project
  23. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24. *
  25. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26. * endorse or promote products derived from this software without
  27. * prior written permission. For written permission, please contact
  28. * licensing@OpenSSL.org.
  29. *
  30. * 5. Products derived from this software may not be called "OpenSSL"
  31. * nor may "OpenSSL" appear in their names without prior written
  32. * permission of the OpenSSL Project.
  33. *
  34. * 6. Redistributions of any form whatsoever must retain the following
  35. * acknowledgment:
  36. * "This product includes software developed by the OpenSSL Project
  37. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38. *
  39. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50. * OF THE POSSIBILITY OF SUCH DAMAGE.
  51. * ====================================================================
  52. */
  53. #define OPENSSL_FIPSAPI
  54. #include <stdlib.h>
  55. #include <string.h>
  56. #include <openssl/crypto.h>
  57. #include <openssl/fips.h>
  58. #include <openssl/fips_rand.h>
  59. #include "fips_rand_lcl.h"
  60. /* This is Hash_df from SP 800-90 10.4.1 */
  61. static int hash_df(DRBG_CTX *dctx, unsigned char *out,
  62. const unsigned char *in1, size_t in1len,
  63. const unsigned char *in2, size_t in2len,
  64. const unsigned char *in3, size_t in3len,
  65. const unsigned char *in4, size_t in4len)
  66. {
  67. EVP_MD_CTX *mctx = &dctx->d.hash.mctx;
  68. unsigned char *vtmp = dctx->d.hash.vtmp;
  69. unsigned char tmp[6];
  70. /* Standard only ever needs seedlen bytes which is always less than
  71. * maximum permitted so no need to check length.
  72. */
  73. size_t outlen = dctx->seedlen;
  74. tmp[0] = 1;
  75. tmp[1] = ((outlen * 8) >> 24) & 0xff;
  76. tmp[2] = ((outlen * 8) >> 16) & 0xff;
  77. tmp[3] = ((outlen * 8) >> 8) & 0xff;
  78. tmp[4] = (outlen * 8) & 0xff;
  79. if (!in1)
  80. {
  81. tmp[5] = (unsigned char)in1len;
  82. in1 = tmp + 5;
  83. in1len = 1;
  84. }
  85. for (;;)
  86. {
  87. if (!FIPS_digestinit(mctx, dctx->d.hash.md))
  88. return 0;
  89. if (!FIPS_digestupdate(mctx, tmp, 5))
  90. return 0;
  91. if (in1 && !FIPS_digestupdate(mctx, in1, in1len))
  92. return 0;
  93. if (in2 && !FIPS_digestupdate(mctx, in2, in2len))
  94. return 0;
  95. if (in3 && !FIPS_digestupdate(mctx, in3, in3len))
  96. return 0;
  97. if (in4 && !FIPS_digestupdate(mctx, in4, in4len))
  98. return 0;
  99. if (outlen < dctx->blocklength)
  100. {
  101. if (!FIPS_digestfinal(mctx, vtmp, NULL))
  102. return 0;
  103. memcpy(out, vtmp, outlen);
  104. OPENSSL_cleanse(vtmp, dctx->blocklength);
  105. return 1;
  106. }
  107. else if(!FIPS_digestfinal(mctx, out, NULL))
  108. return 0;
  109. outlen -= dctx->blocklength;
  110. if (outlen == 0)
  111. return 1;
  112. tmp[0]++;
  113. out += dctx->blocklength;
  114. }
  115. }
  116. /* Add an unsigned buffer to the buf value, storing the result in buf. For
  117. * this algorithm the length of input never exceeds the seed length.
  118. */
  119. static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf,
  120. unsigned char *in, size_t inlen)
  121. {
  122. size_t i = inlen;
  123. const unsigned char *q;
  124. unsigned char c, *p;
  125. p = buf + dctx->seedlen;
  126. q = in + inlen;
  127. OPENSSL_assert(i <= dctx->seedlen);
  128. /* Special case: zero length, just increment buffer */
  129. if (i)
  130. c = 0;
  131. else
  132. c = 1;
  133. while (i)
  134. {
  135. int r;
  136. p--;
  137. q--;
  138. r = *p + *q + c;
  139. /* Carry */
  140. if (r > 0xff)
  141. c = 1;
  142. else
  143. c = 0;
  144. *p = r & 0xff;
  145. i--;
  146. }
  147. i = dctx->seedlen - inlen;
  148. /* If not adding whole buffer handle final carries */
  149. if (c && i)
  150. {
  151. do
  152. {
  153. p--;
  154. c = *p;
  155. c++;
  156. *p = c;
  157. if(c)
  158. return;
  159. } while(i--);
  160. }
  161. }
  162. /* Finalise and add hash to V */
  163. static int ctx_add_md(DRBG_CTX *dctx)
  164. {
  165. if (!FIPS_digestfinal(&dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL))
  166. return 0;
  167. ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength);
  168. return 1;
  169. }
  170. static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
  171. {
  172. DRBG_HASH_CTX *hctx = &dctx->d.hash;
  173. if (outlen == 0)
  174. return 1;
  175. memcpy(hctx->vtmp, hctx->V, dctx->seedlen);
  176. for(;;)
  177. {
  178. FIPS_digestinit(&hctx->mctx, hctx->md);
  179. FIPS_digestupdate(&hctx->mctx, hctx->vtmp, dctx->seedlen);
  180. if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid)
  181. {
  182. FIPS_digestfinal(&hctx->mctx, dctx->lb, NULL);
  183. dctx->lb_valid = 1;
  184. }
  185. else if (outlen < dctx->blocklength)
  186. {
  187. FIPS_digestfinal(&hctx->mctx, hctx->vtmp, NULL);
  188. if (!fips_drbg_cprng_test(dctx, hctx->vtmp))
  189. return 0;
  190. memcpy(out, hctx->vtmp, outlen);
  191. return 1;
  192. }
  193. else
  194. {
  195. FIPS_digestfinal(&hctx->mctx, out, NULL);
  196. if (!fips_drbg_cprng_test(dctx, out))
  197. return 0;
  198. outlen -= dctx->blocklength;
  199. if (outlen == 0)
  200. return 1;
  201. out += dctx->blocklength;
  202. }
  203. ctx_add_buf(dctx, hctx->vtmp, NULL, 0);
  204. }
  205. }
  206. static int drbg_hash_instantiate(DRBG_CTX *dctx,
  207. const unsigned char *ent, size_t ent_len,
  208. const unsigned char *nonce, size_t nonce_len,
  209. const unsigned char *pstr, size_t pstr_len)
  210. {
  211. DRBG_HASH_CTX *hctx = &dctx->d.hash;
  212. if (!hash_df(dctx, hctx->V,
  213. ent, ent_len, nonce, nonce_len, pstr, pstr_len,
  214. NULL, 0))
  215. return 0;
  216. if (!hash_df(dctx, hctx->C,
  217. NULL, 0, hctx->V, dctx->seedlen,
  218. NULL, 0, NULL, 0))
  219. return 0;
  220. #ifdef HASH_DRBG_TRACE
  221. fprintf(stderr, "V+C after instantiate:\n");
  222. hexprint(stderr, hctx->V, dctx->seedlen);
  223. hexprint(stderr, hctx->C, dctx->seedlen);
  224. #endif
  225. return 1;
  226. }
  227. static int drbg_hash_reseed(DRBG_CTX *dctx,
  228. const unsigned char *ent, size_t ent_len,
  229. const unsigned char *adin, size_t adin_len)
  230. {
  231. DRBG_HASH_CTX *hctx = &dctx->d.hash;
  232. /* V about to be updated so use C as output instead */
  233. if (!hash_df(dctx, hctx->C,
  234. NULL, 1, hctx->V, dctx->seedlen,
  235. ent, ent_len, adin, adin_len))
  236. return 0;
  237. memcpy(hctx->V, hctx->C, dctx->seedlen);
  238. if (!hash_df(dctx, hctx->C, NULL, 0,
  239. hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
  240. return 0;
  241. #ifdef HASH_DRBG_TRACE
  242. fprintf(stderr, "V+C after reseed:\n");
  243. hexprint(stderr, hctx->V, dctx->seedlen);
  244. hexprint(stderr, hctx->C, dctx->seedlen);
  245. #endif
  246. return 1;
  247. }
  248. static int drbg_hash_generate(DRBG_CTX *dctx,
  249. unsigned char *out, size_t outlen,
  250. const unsigned char *adin, size_t adin_len)
  251. {
  252. DRBG_HASH_CTX *hctx = &dctx->d.hash;
  253. EVP_MD_CTX *mctx = &hctx->mctx;
  254. unsigned char tmp[4];
  255. if (adin && adin_len)
  256. {
  257. tmp[0] = 2;
  258. if (!FIPS_digestinit(mctx, hctx->md))
  259. return 0;
  260. if (!EVP_DigestUpdate(mctx, tmp, 1))
  261. return 0;
  262. if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
  263. return 0;
  264. if (!EVP_DigestUpdate(mctx, adin, adin_len))
  265. return 0;
  266. if (!ctx_add_md(dctx))
  267. return 0;
  268. }
  269. if (!hash_gen(dctx, out, outlen))
  270. return 0;
  271. tmp[0] = 3;
  272. if (!FIPS_digestinit(mctx, hctx->md))
  273. return 0;
  274. if (!EVP_DigestUpdate(mctx, tmp, 1))
  275. return 0;
  276. if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
  277. return 0;
  278. if (!ctx_add_md(dctx))
  279. return 0;
  280. ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen);
  281. tmp[0] = (dctx->reseed_counter >> 24) & 0xff;
  282. tmp[1] = (dctx->reseed_counter >> 16) & 0xff;
  283. tmp[2] = (dctx->reseed_counter >> 8) & 0xff;
  284. tmp[3] = dctx->reseed_counter & 0xff;
  285. ctx_add_buf(dctx, hctx->V, tmp, 4);
  286. #ifdef HASH_DRBG_TRACE
  287. fprintf(stderr, "V+C after generate:\n");
  288. hexprint(stderr, hctx->V, dctx->seedlen);
  289. hexprint(stderr, hctx->C, dctx->seedlen);
  290. #endif
  291. return 1;
  292. }
  293. static int drbg_hash_uninstantiate(DRBG_CTX *dctx)
  294. {
  295. EVP_MD_CTX_cleanup(&dctx->d.hash.mctx);
  296. OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX));
  297. return 1;
  298. }
  299. int fips_drbg_hash_init(DRBG_CTX *dctx)
  300. {
  301. const EVP_MD *md;
  302. DRBG_HASH_CTX *hctx = &dctx->d.hash;
  303. md = FIPS_get_digestbynid(dctx->type);
  304. if (!md)
  305. return -2;
  306. switch (dctx->type)
  307. {
  308. case NID_sha1:
  309. dctx->strength = 128;
  310. break;
  311. case NID_sha224:
  312. dctx->strength = 192;
  313. break;
  314. default:
  315. dctx->strength = 256;
  316. break;
  317. }
  318. dctx->instantiate = drbg_hash_instantiate;
  319. dctx->reseed = drbg_hash_reseed;
  320. dctx->generate = drbg_hash_generate;
  321. dctx->uninstantiate = drbg_hash_uninstantiate;
  322. dctx->d.hash.md = md;
  323. EVP_MD_CTX_init(&hctx->mctx);
  324. /* These are taken from SP 800-90 10.1 table 2 */
  325. dctx->blocklength = M_EVP_MD_size(md);
  326. if (dctx->blocklength > 32)
  327. dctx->seedlen = 111;
  328. else
  329. dctx->seedlen = 55;
  330. dctx->min_entropy = dctx->strength / 8;
  331. dctx->max_entropy = DRBG_MAX_LENGTH;
  332. dctx->min_nonce = dctx->min_entropy / 2;
  333. dctx->max_nonce = DRBG_MAX_LENGTH;
  334. dctx->max_pers = DRBG_MAX_LENGTH;
  335. dctx->max_adin = DRBG_MAX_LENGTH;
  336. dctx->max_request = 1<<16;
  337. dctx->reseed_interval = 1<<24;
  338. return 1;
  339. }