1 | /* |
2 | * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include <stdlib.h> |
11 | #include <string.h> |
12 | #include <openssl/crypto.h> |
13 | #include <openssl/err.h> |
14 | #include <openssl/rand.h> |
15 | #include "internal/thread_once.h" |
16 | #include "prov/providercommon.h" |
17 | #include "rand_local.h" |
18 | |
19 | /* |
20 | * Called twice by SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process. |
21 | * |
22 | * hmac is an object that holds the input/output Key and Value (K and V). |
23 | * inbyte is 0x00 on the first call and 0x01 on the second call. |
24 | * in1, in2, in3 are optional inputs that can be NULL. |
25 | * in1len, in2len, in3len are the lengths of the input buffers. |
26 | * |
27 | * The returned K,V is: |
28 | * hmac->K = HMAC(hmac->K, hmac->V || inbyte || [in1] || [in2] || [in3]) |
29 | * hmac->V = HMAC(hmac->K, hmac->V) |
30 | * |
31 | * Returns zero if an error occurs otherwise it returns 1. |
32 | */ |
33 | static int do_hmac(RAND_DRBG_HMAC *hmac, unsigned char inbyte, |
34 | const unsigned char *in1, size_t in1len, |
35 | const unsigned char *in2, size_t in2len, |
36 | const unsigned char *in3, size_t in3len) |
37 | { |
38 | HMAC_CTX *ctx = hmac->ctx; |
39 | |
40 | return HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL) |
41 | /* K = HMAC(K, V || inbyte || [in1] || [in2] || [in3]) */ |
42 | && HMAC_Update(ctx, hmac->V, hmac->blocklen) |
43 | && HMAC_Update(ctx, &inbyte, 1) |
44 | && (in1 == NULL || in1len == 0 || HMAC_Update(ctx, in1, in1len)) |
45 | && (in2 == NULL || in2len == 0 || HMAC_Update(ctx, in2, in2len)) |
46 | && (in3 == NULL || in3len == 0 || HMAC_Update(ctx, in3, in3len)) |
47 | && HMAC_Final(ctx, hmac->K, NULL) |
48 | /* V = HMAC(K, V) */ |
49 | && HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL) |
50 | && HMAC_Update(ctx, hmac->V, hmac->blocklen) |
51 | && HMAC_Final(ctx, hmac->V, NULL); |
52 | } |
53 | |
54 | /* |
55 | * SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process |
56 | * |
57 | * |
58 | * Updates the drbg objects Key(K) and Value(V) using the following algorithm: |
59 | * K,V = do_hmac(hmac, 0, in1, in2, in3) |
60 | * if (any input is not NULL) |
61 | * K,V = do_hmac(hmac, 1, in1, in2, in3) |
62 | * |
63 | * where in1, in2, in3 are optional input buffers that can be NULL. |
64 | * in1len, in2len, in3len are the lengths of the input buffers. |
65 | * |
66 | * Returns zero if an error occurs otherwise it returns 1. |
67 | */ |
68 | static int drbg_hmac_update(RAND_DRBG *drbg, |
69 | const unsigned char *in1, size_t in1len, |
70 | const unsigned char *in2, size_t in2len, |
71 | const unsigned char *in3, size_t in3len) |
72 | { |
73 | RAND_DRBG_HMAC *hmac = &drbg->data.hmac; |
74 | |
75 | /* (Steps 1-2) K = HMAC(K, V||0x00||provided_data). V = HMAC(K,V) */ |
76 | if (!do_hmac(hmac, 0x00, in1, in1len, in2, in2len, in3, in3len)) |
77 | return 0; |
78 | /* (Step 3) If provided_data == NULL then return (K,V) */ |
79 | if (in1len == 0 && in2len == 0 && in3len == 0) |
80 | return 1; |
81 | /* (Steps 4-5) K = HMAC(K, V||0x01||provided_data). V = HMAC(K,V) */ |
82 | return do_hmac(hmac, 0x01, in1, in1len, in2, in2len, in3, in3len); |
83 | } |
84 | |
85 | /* |
86 | * SP800-90Ar1 10.1.2.3 HMAC_DRBG_Instantiate_Process: |
87 | * |
88 | * This sets the drbg Key (K) to all zeros, and Value (V) to all 1's. |
89 | * and then calls (K,V) = drbg_hmac_update() with input parameters: |
90 | * ent = entropy data (Can be NULL) of length ent_len. |
91 | * nonce = nonce data (Can be NULL) of length nonce_len. |
92 | * pstr = personalization data (Can be NULL) of length pstr_len. |
93 | * |
94 | * Returns zero if an error occurs otherwise it returns 1. |
95 | */ |
96 | static int drbg_hmac_instantiate(RAND_DRBG *drbg, |
97 | const unsigned char *ent, size_t ent_len, |
98 | const unsigned char *nonce, size_t nonce_len, |
99 | const unsigned char *pstr, size_t pstr_len) |
100 | { |
101 | RAND_DRBG_HMAC *hmac = &drbg->data.hmac; |
102 | |
103 | /* (Step 2) Key = 0x00 00...00 */ |
104 | memset(hmac->K, 0x00, hmac->blocklen); |
105 | /* (Step 3) V = 0x01 01...01 */ |
106 | memset(hmac->V, 0x01, hmac->blocklen); |
107 | /* (Step 4) (K,V) = HMAC_DRBG_Update(entropy||nonce||pers string, K, V) */ |
108 | return drbg_hmac_update(drbg, ent, ent_len, nonce, nonce_len, pstr, |
109 | pstr_len); |
110 | } |
111 | |
112 | /* |
113 | * SP800-90Ar1 10.1.2.4 HMAC_DRBG_Reseed_Process: |
114 | * |
115 | * Reseeds the drbg's Key (K) and Value (V) by calling |
116 | * (K,V) = drbg_hmac_update() with the following input parameters: |
117 | * ent = entropy input data (Can be NULL) of length ent_len. |
118 | * adin = additional input data (Can be NULL) of length adin_len. |
119 | * |
120 | * Returns zero if an error occurs otherwise it returns 1. |
121 | */ |
122 | static int drbg_hmac_reseed(RAND_DRBG *drbg, |
123 | const unsigned char *ent, size_t ent_len, |
124 | const unsigned char *adin, size_t adin_len) |
125 | { |
126 | /* (Step 2) (K,V) = HMAC_DRBG_Update(entropy||additional_input, K, V) */ |
127 | return drbg_hmac_update(drbg, ent, ent_len, adin, adin_len, NULL, 0); |
128 | } |
129 | |
130 | /* |
131 | * SP800-90Ar1 10.1.2.5 HMAC_DRBG_Generate_Process: |
132 | * |
133 | * Generates pseudo random bytes and updates the internal K,V for the drbg. |
134 | * out is a buffer to fill with outlen bytes of pseudo random data. |
135 | * adin is an additional_input string of size adin_len that may be NULL. |
136 | * |
137 | * Returns zero if an error occurs otherwise it returns 1. |
138 | */ |
139 | static int drbg_hmac_generate(RAND_DRBG *drbg, |
140 | unsigned char *out, size_t outlen, |
141 | const unsigned char *adin, size_t adin_len) |
142 | { |
143 | RAND_DRBG_HMAC *hmac = &drbg->data.hmac; |
144 | HMAC_CTX *ctx = hmac->ctx; |
145 | const unsigned char *temp = hmac->V; |
146 | |
147 | /* (Step 2) if adin != NULL then (K,V) = HMAC_DRBG_Update(adin, K, V) */ |
148 | if (adin != NULL |
149 | && adin_len > 0 |
150 | && !drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0)) |
151 | return 0; |
152 | |
153 | /* |
154 | * (Steps 3-5) temp = NULL |
155 | * while (len(temp) < outlen) { |
156 | * V = HMAC(K, V) |
157 | * temp = temp || V |
158 | * } |
159 | */ |
160 | for (;;) { |
161 | if (!HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL) |
162 | || !HMAC_Update(ctx, temp, hmac->blocklen)) |
163 | return 0; |
164 | |
165 | if (outlen > hmac->blocklen) { |
166 | if (!HMAC_Final(ctx, out, NULL)) |
167 | return 0; |
168 | temp = out; |
169 | } else { |
170 | if (!HMAC_Final(ctx, hmac->V, NULL)) |
171 | return 0; |
172 | memcpy(out, hmac->V, outlen); |
173 | break; |
174 | } |
175 | out += hmac->blocklen; |
176 | outlen -= hmac->blocklen; |
177 | } |
178 | /* (Step 6) (K,V) = HMAC_DRBG_Update(adin, K, V) */ |
179 | if (!drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0)) |
180 | return 0; |
181 | |
182 | return 1; |
183 | } |
184 | |
185 | static int drbg_hmac_uninstantiate(RAND_DRBG *drbg) |
186 | { |
187 | EVP_MD_free(drbg->data.hmac.md); |
188 | HMAC_CTX_free(drbg->data.hmac.ctx); |
189 | OPENSSL_cleanse(&drbg->data.hmac, sizeof(drbg->data.hmac)); |
190 | return 1; |
191 | } |
192 | |
193 | static RAND_DRBG_METHOD drbg_hmac_meth = { |
194 | drbg_hmac_instantiate, |
195 | drbg_hmac_reseed, |
196 | drbg_hmac_generate, |
197 | drbg_hmac_uninstantiate |
198 | }; |
199 | |
200 | int drbg_hmac_init(RAND_DRBG *drbg) |
201 | { |
202 | EVP_MD *md = NULL; |
203 | RAND_DRBG_HMAC *hmac = &drbg->data.hmac; |
204 | |
205 | /* |
206 | * Confirm digest is allowed. We allow all digests that are not XOF |
207 | * (such as SHAKE). In FIPS mode, the fetch will fail for non-approved |
208 | * digests. |
209 | */ |
210 | md = EVP_MD_fetch(drbg->libctx, ossl_prov_util_nid_to_name(drbg->type), "" ); |
211 | if (md == NULL) |
212 | return 0; |
213 | |
214 | if ((EVP_MD_flags(md) & EVP_MD_FLAG_XOF) != 0) |
215 | return 0; |
216 | |
217 | drbg->meth = &drbg_hmac_meth; |
218 | |
219 | if (hmac->ctx == NULL) { |
220 | hmac->ctx = HMAC_CTX_new(); |
221 | if (hmac->ctx == NULL) { |
222 | EVP_MD_free(md); |
223 | return 0; |
224 | } |
225 | } |
226 | |
227 | /* These are taken from SP 800-90 10.1 Table 2 */ |
228 | EVP_MD_free(hmac->md); |
229 | hmac->md = md; |
230 | hmac->blocklen = EVP_MD_size(md); |
231 | /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */ |
232 | drbg->strength = 64 * (int)(hmac->blocklen >> 3); |
233 | if (drbg->strength > 256) |
234 | drbg->strength = 256; |
235 | drbg->seedlen = hmac->blocklen; |
236 | |
237 | drbg->min_entropylen = drbg->strength / 8; |
238 | drbg->max_entropylen = DRBG_MAX_LENGTH; |
239 | |
240 | drbg->min_noncelen = drbg->min_entropylen / 2; |
241 | drbg->max_noncelen = DRBG_MAX_LENGTH; |
242 | |
243 | drbg->max_perslen = DRBG_MAX_LENGTH; |
244 | drbg->max_adinlen = DRBG_MAX_LENGTH; |
245 | |
246 | /* Maximum number of bits per request = 2^19 = 2^16 bytes*/ |
247 | drbg->max_request = 1 << 16; |
248 | |
249 | return 1; |
250 | } |
251 | |