| 1 | /* |
|---|---|
| 2 | * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. |
| 3 | * |
| 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
| 5 | * this file except in compliance with the License. You can obtain a copy |
| 6 | * in the file LICENSE in the source distribution or at |
| 7 | * https://www.openssl.org/source/license.html |
| 8 | */ |
| 9 | |
| 10 | #include <stdlib.h> |
| 11 | #include <string.h> |
| 12 | #include <openssl/crypto.h> |
| 13 | #include <openssl/err.h> |
| 14 | #include <openssl/rand.h> |
| 15 | #include "internal/thread_once.h" |
| 16 | #include "prov/providercommon.h" |
| 17 | #include "rand_local.h" |
| 18 | |
| 19 | /* |
| 20 | * Called twice by SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process. |
| 21 | * |
| 22 | * hmac is an object that holds the input/output Key and Value (K and V). |
| 23 | * inbyte is 0x00 on the first call and 0x01 on the second call. |
| 24 | * in1, in2, in3 are optional inputs that can be NULL. |
| 25 | * in1len, in2len, in3len are the lengths of the input buffers. |
| 26 | * |
| 27 | * The returned K,V is: |
| 28 | * hmac->K = HMAC(hmac->K, hmac->V || inbyte || [in1] || [in2] || [in3]) |
| 29 | * hmac->V = HMAC(hmac->K, hmac->V) |
| 30 | * |
| 31 | * Returns zero if an error occurs otherwise it returns 1. |
| 32 | */ |
| 33 | static int do_hmac(RAND_DRBG_HMAC *hmac, unsigned char inbyte, |
| 34 | const unsigned char *in1, size_t in1len, |
| 35 | const unsigned char *in2, size_t in2len, |
| 36 | const unsigned char *in3, size_t in3len) |
| 37 | { |
| 38 | HMAC_CTX *ctx = hmac->ctx; |
| 39 | |
| 40 | return HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL) |
| 41 | /* K = HMAC(K, V || inbyte || [in1] || [in2] || [in3]) */ |
| 42 | && HMAC_Update(ctx, hmac->V, hmac->blocklen) |
| 43 | && HMAC_Update(ctx, &inbyte, 1) |
| 44 | && (in1 == NULL || in1len == 0 || HMAC_Update(ctx, in1, in1len)) |
| 45 | && (in2 == NULL || in2len == 0 || HMAC_Update(ctx, in2, in2len)) |
| 46 | && (in3 == NULL || in3len == 0 || HMAC_Update(ctx, in3, in3len)) |
| 47 | && HMAC_Final(ctx, hmac->K, NULL) |
| 48 | /* V = HMAC(K, V) */ |
| 49 | && HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL) |
| 50 | && HMAC_Update(ctx, hmac->V, hmac->blocklen) |
| 51 | && HMAC_Final(ctx, hmac->V, NULL); |
| 52 | } |
| 53 | |
| 54 | /* |
| 55 | * SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process |
| 56 | * |
| 57 | * |
| 58 | * Updates the drbg objects Key(K) and Value(V) using the following algorithm: |
| 59 | * K,V = do_hmac(hmac, 0, in1, in2, in3) |
| 60 | * if (any input is not NULL) |
| 61 | * K,V = do_hmac(hmac, 1, in1, in2, in3) |
| 62 | * |
| 63 | * where in1, in2, in3 are optional input buffers that can be NULL. |
| 64 | * in1len, in2len, in3len are the lengths of the input buffers. |
| 65 | * |
| 66 | * Returns zero if an error occurs otherwise it returns 1. |
| 67 | */ |
| 68 | static int drbg_hmac_update(RAND_DRBG *drbg, |
| 69 | const unsigned char *in1, size_t in1len, |
| 70 | const unsigned char *in2, size_t in2len, |
| 71 | const unsigned char *in3, size_t in3len) |
| 72 | { |
| 73 | RAND_DRBG_HMAC *hmac = &drbg->data.hmac; |
| 74 | |
| 75 | /* (Steps 1-2) K = HMAC(K, V||0x00||provided_data). V = HMAC(K,V) */ |
| 76 | if (!do_hmac(hmac, 0x00, in1, in1len, in2, in2len, in3, in3len)) |
| 77 | return 0; |
| 78 | /* (Step 3) If provided_data == NULL then return (K,V) */ |
| 79 | if (in1len == 0 && in2len == 0 && in3len == 0) |
| 80 | return 1; |
| 81 | /* (Steps 4-5) K = HMAC(K, V||0x01||provided_data). V = HMAC(K,V) */ |
| 82 | return do_hmac(hmac, 0x01, in1, in1len, in2, in2len, in3, in3len); |
| 83 | } |
| 84 | |
| 85 | /* |
| 86 | * SP800-90Ar1 10.1.2.3 HMAC_DRBG_Instantiate_Process: |
| 87 | * |
| 88 | * This sets the drbg Key (K) to all zeros, and Value (V) to all 1's. |
| 89 | * and then calls (K,V) = drbg_hmac_update() with input parameters: |
| 90 | * ent = entropy data (Can be NULL) of length ent_len. |
| 91 | * nonce = nonce data (Can be NULL) of length nonce_len. |
| 92 | * pstr = personalization data (Can be NULL) of length pstr_len. |
| 93 | * |
| 94 | * Returns zero if an error occurs otherwise it returns 1. |
| 95 | */ |
| 96 | static int drbg_hmac_instantiate(RAND_DRBG *drbg, |
| 97 | const unsigned char *ent, size_t ent_len, |
| 98 | const unsigned char *nonce, size_t nonce_len, |
| 99 | const unsigned char *pstr, size_t pstr_len) |
| 100 | { |
| 101 | RAND_DRBG_HMAC *hmac = &drbg->data.hmac; |
| 102 | |
| 103 | /* (Step 2) Key = 0x00 00...00 */ |
| 104 | memset(hmac->K, 0x00, hmac->blocklen); |
| 105 | /* (Step 3) V = 0x01 01...01 */ |
| 106 | memset(hmac->V, 0x01, hmac->blocklen); |
| 107 | /* (Step 4) (K,V) = HMAC_DRBG_Update(entropy||nonce||pers string, K, V) */ |
| 108 | return drbg_hmac_update(drbg, ent, ent_len, nonce, nonce_len, pstr, |
| 109 | pstr_len); |
| 110 | } |
| 111 | |
| 112 | /* |
| 113 | * SP800-90Ar1 10.1.2.4 HMAC_DRBG_Reseed_Process: |
| 114 | * |
| 115 | * Reseeds the drbg's Key (K) and Value (V) by calling |
| 116 | * (K,V) = drbg_hmac_update() with the following input parameters: |
| 117 | * ent = entropy input data (Can be NULL) of length ent_len. |
| 118 | * adin = additional input data (Can be NULL) of length adin_len. |
| 119 | * |
| 120 | * Returns zero if an error occurs otherwise it returns 1. |
| 121 | */ |
| 122 | static int drbg_hmac_reseed(RAND_DRBG *drbg, |
| 123 | const unsigned char *ent, size_t ent_len, |
| 124 | const unsigned char *adin, size_t adin_len) |
| 125 | { |
| 126 | /* (Step 2) (K,V) = HMAC_DRBG_Update(entropy||additional_input, K, V) */ |
| 127 | return drbg_hmac_update(drbg, ent, ent_len, adin, adin_len, NULL, 0); |
| 128 | } |
| 129 | |
| 130 | /* |
| 131 | * SP800-90Ar1 10.1.2.5 HMAC_DRBG_Generate_Process: |
| 132 | * |
| 133 | * Generates pseudo random bytes and updates the internal K,V for the drbg. |
| 134 | * out is a buffer to fill with outlen bytes of pseudo random data. |
| 135 | * adin is an additional_input string of size adin_len that may be NULL. |
| 136 | * |
| 137 | * Returns zero if an error occurs otherwise it returns 1. |
| 138 | */ |
| 139 | static int drbg_hmac_generate(RAND_DRBG *drbg, |
| 140 | unsigned char *out, size_t outlen, |
| 141 | const unsigned char *adin, size_t adin_len) |
| 142 | { |
| 143 | RAND_DRBG_HMAC *hmac = &drbg->data.hmac; |
| 144 | HMAC_CTX *ctx = hmac->ctx; |
| 145 | const unsigned char *temp = hmac->V; |
| 146 | |
| 147 | /* (Step 2) if adin != NULL then (K,V) = HMAC_DRBG_Update(adin, K, V) */ |
| 148 | if (adin != NULL |
| 149 | && adin_len > 0 |
| 150 | && !drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0)) |
| 151 | return 0; |
| 152 | |
| 153 | /* |
| 154 | * (Steps 3-5) temp = NULL |
| 155 | * while (len(temp) < outlen) { |
| 156 | * V = HMAC(K, V) |
| 157 | * temp = temp || V |
| 158 | * } |
| 159 | */ |
| 160 | for (;;) { |
| 161 | if (!HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL) |
| 162 | || !HMAC_Update(ctx, temp, hmac->blocklen)) |
| 163 | return 0; |
| 164 | |
| 165 | if (outlen > hmac->blocklen) { |
| 166 | if (!HMAC_Final(ctx, out, NULL)) |
| 167 | return 0; |
| 168 | temp = out; |
| 169 | } else { |
| 170 | if (!HMAC_Final(ctx, hmac->V, NULL)) |
| 171 | return 0; |
| 172 | memcpy(out, hmac->V, outlen); |
| 173 | break; |
| 174 | } |
| 175 | out += hmac->blocklen; |
| 176 | outlen -= hmac->blocklen; |
| 177 | } |
| 178 | /* (Step 6) (K,V) = HMAC_DRBG_Update(adin, K, V) */ |
| 179 | if (!drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0)) |
| 180 | return 0; |
| 181 | |
| 182 | return 1; |
| 183 | } |
| 184 | |
| 185 | static int drbg_hmac_uninstantiate(RAND_DRBG *drbg) |
| 186 | { |
| 187 | EVP_MD_free(drbg->data.hmac.md); |
| 188 | HMAC_CTX_free(drbg->data.hmac.ctx); |
| 189 | OPENSSL_cleanse(&drbg->data.hmac, sizeof(drbg->data.hmac)); |
| 190 | return 1; |
| 191 | } |
| 192 | |
| 193 | static RAND_DRBG_METHOD drbg_hmac_meth = { |
| 194 | drbg_hmac_instantiate, |
| 195 | drbg_hmac_reseed, |
| 196 | drbg_hmac_generate, |
| 197 | drbg_hmac_uninstantiate |
| 198 | }; |
| 199 | |
| 200 | int drbg_hmac_init(RAND_DRBG *drbg) |
| 201 | { |
| 202 | EVP_MD *md = NULL; |
| 203 | RAND_DRBG_HMAC *hmac = &drbg->data.hmac; |
| 204 | |
| 205 | /* |
| 206 | * Confirm digest is allowed. We allow all digests that are not XOF |
| 207 | * (such as SHAKE). In FIPS mode, the fetch will fail for non-approved |
| 208 | * digests. |
| 209 | */ |
| 210 | md = EVP_MD_fetch(drbg->libctx, ossl_prov_util_nid_to_name(drbg->type), ""); |
| 211 | if (md == NULL) |
| 212 | return 0; |
| 213 | |
| 214 | if ((EVP_MD_flags(md) & EVP_MD_FLAG_XOF) != 0) |
| 215 | return 0; |
| 216 | |
| 217 | drbg->meth = &drbg_hmac_meth; |
| 218 | |
| 219 | if (hmac->ctx == NULL) { |
| 220 | hmac->ctx = HMAC_CTX_new(); |
| 221 | if (hmac->ctx == NULL) { |
| 222 | EVP_MD_free(md); |
| 223 | return 0; |
| 224 | } |
| 225 | } |
| 226 | |
| 227 | /* These are taken from SP 800-90 10.1 Table 2 */ |
| 228 | EVP_MD_free(hmac->md); |
| 229 | hmac->md = md; |
| 230 | hmac->blocklen = EVP_MD_size(md); |
| 231 | /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */ |
| 232 | drbg->strength = 64 * (int)(hmac->blocklen >> 3); |
| 233 | if (drbg->strength > 256) |
| 234 | drbg->strength = 256; |
| 235 | drbg->seedlen = hmac->blocklen; |
| 236 | |
| 237 | drbg->min_entropylen = drbg->strength / 8; |
| 238 | drbg->max_entropylen = DRBG_MAX_LENGTH; |
| 239 | |
| 240 | drbg->min_noncelen = drbg->min_entropylen / 2; |
| 241 | drbg->max_noncelen = DRBG_MAX_LENGTH; |
| 242 | |
| 243 | drbg->max_perslen = DRBG_MAX_LENGTH; |
| 244 | drbg->max_adinlen = DRBG_MAX_LENGTH; |
| 245 | |
| 246 | /* Maximum number of bits per request = 2^19 = 2^16 bytes*/ |
| 247 | drbg->max_request = 1 << 16; |
| 248 | |
| 249 | return 1; |
| 250 | } |
| 251 |
Generated on 2020-Jan-04 from project ClickHouse revision 19.17.6
Powered by 
Code Browser 2.1
Generator usage only permitted with license.