crypto/rand/drbg_hmac.c

   1 /*
   2  * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <stdlib.h>
  11 #include <string.h>
  12 #include <openssl/crypto.h>
  13 #include <openssl/err.h>
  14 #include <openssl/rand.h>
  15 #include "internal/thread_once.h"
  16 #include "internal/providercommon.h"
  17 #include "rand_local.h"
  18
  19 /*
  20  * Called twice by SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process.
  21  *
  22  * hmac is an object that holds the input/output Key and Value (K and V).
  23  * inbyte is 0x00 on the first call and 0x01 on the second call.
  24  * in1, in2, in3 are optional inputs that can be NULL.
  25  * in1len, in2len, in3len are the lengths of the input buffers.
  26  *
  27  * The returned K,V is:
  28  *   hmac->K = HMAC(hmac->K, hmac->V || inbyte || [in1] || [in2] || [in3])
  29  *   hmac->V = HMAC(hmac->K, hmac->V)
  30  *
  31  * Returns zero if an error occurs otherwise it returns 1.
  32  */
  33 static int do_hmac(RAND_DRBG_HMAC *hmac, unsigned char inbyte,
  34                    const unsigned char *in1, size_t in1len,
  35                    const unsigned char *in2, size_t in2len,
  36                    const unsigned char *in3, size_t in3len)
  37 {
  38     HMAC_CTX *ctx = hmac->ctx;
  39
  40     return HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
  41            /* K = HMAC(K, V || inbyte || [in1] || [in2] || [in3]) */
  42            && HMAC_Update(ctx, hmac->V, hmac->blocklen)
  43            && HMAC_Update(ctx, &inbyte, 1)
  44            && (in1 == NULL || in1len == 0 || HMAC_Update(ctx, in1, in1len))
  45            && (in2 == NULL || in2len == 0 || HMAC_Update(ctx, in2, in2len))
  46            && (in3 == NULL || in3len == 0 || HMAC_Update(ctx, in3, in3len))
  47            && HMAC_Final(ctx, hmac->K, NULL)
  48            /* V = HMAC(K, V) */
  49            && HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
  50            && HMAC_Update(ctx, hmac->V, hmac->blocklen)
  51            && HMAC_Final(ctx, hmac->V, NULL);
  52 }
  53
  54 /*
  55  * SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process
  56  *
  57  *
  58  * Updates the drbg objects Key(K) and Value(V) using the following algorithm:
  59  *   K,V = do_hmac(hmac, 0, in1, in2, in3)
  60  *   if (any input is not NULL)
  61  *     K,V = do_hmac(hmac, 1, in1, in2, in3)
  62  *
  63  * where in1, in2, in3 are optional input buffers that can be NULL.
  64  *       in1len, in2len, in3len are the lengths of the input buffers.
  65  *
  66  * Returns zero if an error occurs otherwise it returns 1.
  67  */
  68 static int drbg_hmac_update(RAND_DRBG *drbg,
  69                             const unsigned char *in1, size_t in1len,
  70                             const unsigned char *in2, size_t in2len,
  71                             const unsigned char *in3, size_t in3len)
  72 {
  73     RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
  74
  75     /* (Steps 1-2) K = HMAC(K, V||0x00||provided_data). V = HMAC(K,V) */
  76     if (!do_hmac(hmac, 0x00, in1, in1len, in2, in2len, in3, in3len))
  77         return 0;
  78     /* (Step 3) If provided_data == NULL then return (K,V) */
  79     if (in1len == 0 && in2len == 0 && in3len == 0)
  80         return 1;
  81     /* (Steps 4-5) K = HMAC(K, V||0x01||provided_data). V = HMAC(K,V) */
  82     return do_hmac(hmac, 0x01, in1, in1len, in2, in2len, in3, in3len);
  83 }
  84
  85 /*
  86  * SP800-90Ar1 10.1.2.3 HMAC_DRBG_Instantiate_Process:
  87  *
  88  * This sets the drbg Key (K) to all zeros, and Value (V) to all 1's.
  89  * and then calls (K,V) = drbg_hmac_update() with input parameters:
  90  *   ent = entropy data (Can be NULL) of length ent_len.
  91  *   nonce = nonce data (Can be NULL) of length nonce_len.
  92  *   pstr = personalization data (Can be NULL) of length pstr_len.
  93  *
  94  * Returns zero if an error occurs otherwise it returns 1.
  95  */
  96 static int drbg_hmac_instantiate(RAND_DRBG *drbg,
  97                                  const unsigned char *ent, size_t ent_len,
  98                                  const unsigned char *nonce, size_t nonce_len,
  99                                  const unsigned char *pstr, size_t pstr_len)
 100 {
 101     RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
 102
 103     /* (Step 2) Key = 0x00 00...00 */
 104     memset(hmac->K, 0x00, hmac->blocklen);
 105     /* (Step 3) V = 0x01 01...01 */
 106     memset(hmac->V, 0x01, hmac->blocklen);
 107     /* (Step 4) (K,V) = HMAC_DRBG_Update(entropy||nonce||pers string, K, V) */
 108     return drbg_hmac_update(drbg, ent, ent_len, nonce, nonce_len, pstr,
 109                             pstr_len);
 110 }
 111
 112 /*
 113  * SP800-90Ar1 10.1.2.4 HMAC_DRBG_Reseed_Process:
 114  *
 115  * Reseeds the drbg's Key (K) and Value (V) by calling
 116  * (K,V) = drbg_hmac_update() with the following input parameters:
 117  *   ent = entropy input data (Can be NULL) of length ent_len.
 118  *   adin = additional input data (Can be NULL) of length adin_len.
 119  *
 120  * Returns zero if an error occurs otherwise it returns 1.
 121  */
 122 static int drbg_hmac_reseed(RAND_DRBG *drbg,
 123                             const unsigned char *ent, size_t ent_len,
 124                             const unsigned char *adin, size_t adin_len)
 125 {
 126     /* (Step 2) (K,V) = HMAC_DRBG_Update(entropy||additional_input, K, V) */
 127     return drbg_hmac_update(drbg, ent, ent_len, adin, adin_len, NULL, 0);
 128 }
 129
 130 /*
 131  * SP800-90Ar1 10.1.2.5 HMAC_DRBG_Generate_Process:
 132  *
 133  * Generates pseudo random bytes and updates the internal K,V for the drbg.
 134  * out is a buffer to fill with outlen bytes of pseudo random data.
 135  * adin is an additional_input string of size adin_len that may be NULL.
 136  *
 137  * Returns zero if an error occurs otherwise it returns 1.
 138  */
 139 static int drbg_hmac_generate(RAND_DRBG *drbg,
 140                               unsigned char *out, size_t outlen,
 141                               const unsigned char *adin, size_t adin_len)
 142 {
 143     RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
 144     HMAC_CTX *ctx = hmac->ctx;
 145     const unsigned char *temp = hmac->V;
 146
 147     /* (Step 2) if adin != NULL then (K,V) = HMAC_DRBG_Update(adin, K, V) */
 148     if (adin != NULL
 149             && adin_len > 0
 150             && !drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0))
 151         return 0;
 152
 153     /*
 154      * (Steps 3-5) temp = NULL
 155      *             while (len(temp) < outlen) {
 156      *                 V = HMAC(K, V)
 157      *                 temp = temp || V
 158      *             }
 159      */
 160     for (;;) {
 161         if (!HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
 162                 || !HMAC_Update(ctx, temp, hmac->blocklen))
 163             return 0;
 164
 165         if (outlen > hmac->blocklen) {
 166             if (!HMAC_Final(ctx, out, NULL))
 167                 return 0;
 168             temp = out;
 169         } else {
 170             if (!HMAC_Final(ctx, hmac->V, NULL))
 171                 return 0;
 172             memcpy(out, hmac->V, outlen);
 173             break;
 174         }
 175         out += hmac->blocklen;
 176         outlen -= hmac->blocklen;
 177     }
 178     /* (Step 6) (K,V) = HMAC_DRBG_Update(adin, K, V) */
 179     if (!drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0))
 180         return 0;
 181
 182     return 1;
 183 }
 184
 185 static int drbg_hmac_uninstantiate(RAND_DRBG *drbg)
 186 {
 187     EVP_MD_free(drbg->data.hmac.md);
 188     HMAC_CTX_free(drbg->data.hmac.ctx);
 189     OPENSSL_cleanse(&drbg->data.hmac, sizeof(drbg->data.hmac));
 190     return 1;
 191 }
 192
 193 static RAND_DRBG_METHOD drbg_hmac_meth = {
 194     drbg_hmac_instantiate,
 195     drbg_hmac_reseed,
 196     drbg_hmac_generate,
 197     drbg_hmac_uninstantiate
 198 };
 199
 200 int drbg_hmac_init(RAND_DRBG *drbg)
 201 {
 202     EVP_MD *md = NULL;
 203     RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
 204
 205     /*
 206      * Confirm digest is allowed. Outside FIPS_MODE we allow all non-legacy
 207      * digests. Inside FIPS_MODE we only allow approved digests. Also no XOF
 208      * digests (such as SHAKE).
 209      */
 210     switch (drbg->type) {
 211     default:
 212         return 0;
 213
 214     case NID_sha1:
 215     case NID_sha224:
 216     case NID_sha256:
 217     case NID_sha384:
 218     case NID_sha512:
 219     case NID_sha512_224:
 220     case NID_sha512_256:
 221     case NID_sha3_224:
 222     case NID_sha3_256:
 223     case NID_sha3_384:
 224     case NID_sha3_512:
 225 #ifndef FIPS_MODE
 226     case NID_blake2b512:
 227     case NID_blake2s256:
 228     case NID_sm3:
 229 #endif
 230         break;
 231     }
 232
 233     md = EVP_MD_fetch(drbg->libctx, ossl_prov_util_nid_to_name(drbg->type), "");
 234     if (md == NULL)
 235         return 0;
 236
 237     drbg->meth = &drbg_hmac_meth;
 238
 239     if (hmac->ctx == NULL) {
 240         hmac->ctx = HMAC_CTX_new();
 241         if (hmac->ctx == NULL) {
 242             EVP_MD_free(md);
 243             return 0;
 244         }
 245     }
 246
 247     /* These are taken from SP 800-90 10.1 Table 2 */
 248     EVP_MD_free(hmac->md);
 249     hmac->md = md;
 250     hmac->blocklen = EVP_MD_size(md);
 251     /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */
 252     drbg->strength = 64 * (int)(hmac->blocklen >> 3);
 253     if (drbg->strength > 256)
 254         drbg->strength = 256;
 255     drbg->seedlen = hmac->blocklen;
 256
 257     drbg->min_entropylen = drbg->strength / 8;
 258     drbg->max_entropylen = DRBG_MAX_LENGTH;
 259
 260     drbg->min_noncelen = drbg->min_entropylen / 2;
 261     drbg->max_noncelen = DRBG_MAX_LENGTH;
 262
 263     drbg->max_perslen = DRBG_MAX_LENGTH;
 264     drbg->max_adinlen = DRBG_MAX_LENGTH;
 265
 266     /* Maximum number of bits per request = 2^19 = 2^16 bytes*/
 267     drbg->max_request = 1 << 16;
 268
 269     return 1;
 270 }