2 * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include "internal/thread_once.h"
16 #include "internal/providercommon.h"
17 #include "rand_local.h"
20 * Called twice by SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process.
22 * hmac is an object that holds the input/output Key and Value (K and V).
23 * inbyte is 0x00 on the first call and 0x01 on the second call.
24 * in1, in2, in3 are optional inputs that can be NULL.
25 * in1len, in2len, in3len are the lengths of the input buffers.
27 * The returned K,V is:
28 * hmac->K = HMAC(hmac->K, hmac->V || inbyte || [in1] || [in2] || [in3])
29 * hmac->V = HMAC(hmac->K, hmac->V)
31 * Returns zero if an error occurs otherwise it returns 1.
33 static int do_hmac(RAND_DRBG_HMAC
*hmac
, unsigned char inbyte
,
34 const unsigned char *in1
, size_t in1len
,
35 const unsigned char *in2
, size_t in2len
,
36 const unsigned char *in3
, size_t in3len
)
38 HMAC_CTX
*ctx
= hmac
->ctx
;
40 return HMAC_Init_ex(ctx
, hmac
->K
, hmac
->blocklen
, hmac
->md
, NULL
)
41 /* K = HMAC(K, V || inbyte || [in1] || [in2] || [in3]) */
42 && HMAC_Update(ctx
, hmac
->V
, hmac
->blocklen
)
43 && HMAC_Update(ctx
, &inbyte
, 1)
44 && (in1
== NULL
|| in1len
== 0 || HMAC_Update(ctx
, in1
, in1len
))
45 && (in2
== NULL
|| in2len
== 0 || HMAC_Update(ctx
, in2
, in2len
))
46 && (in3
== NULL
|| in3len
== 0 || HMAC_Update(ctx
, in3
, in3len
))
47 && HMAC_Final(ctx
, hmac
->K
, NULL
)
49 && HMAC_Init_ex(ctx
, hmac
->K
, hmac
->blocklen
, hmac
->md
, NULL
)
50 && HMAC_Update(ctx
, hmac
->V
, hmac
->blocklen
)
51 && HMAC_Final(ctx
, hmac
->V
, NULL
);
55 * SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process
58 * Updates the drbg objects Key(K) and Value(V) using the following algorithm:
59 * K,V = do_hmac(hmac, 0, in1, in2, in3)
60 * if (any input is not NULL)
61 * K,V = do_hmac(hmac, 1, in1, in2, in3)
63 * where in1, in2, in3 are optional input buffers that can be NULL.
64 * in1len, in2len, in3len are the lengths of the input buffers.
66 * Returns zero if an error occurs otherwise it returns 1.
68 static int drbg_hmac_update(RAND_DRBG
*drbg
,
69 const unsigned char *in1
, size_t in1len
,
70 const unsigned char *in2
, size_t in2len
,
71 const unsigned char *in3
, size_t in3len
)
73 RAND_DRBG_HMAC
*hmac
= &drbg
->data
.hmac
;
75 /* (Steps 1-2) K = HMAC(K, V||0x00||provided_data). V = HMAC(K,V) */
76 if (!do_hmac(hmac
, 0x00, in1
, in1len
, in2
, in2len
, in3
, in3len
))
78 /* (Step 3) If provided_data == NULL then return (K,V) */
79 if (in1len
== 0 && in2len
== 0 && in3len
== 0)
81 /* (Steps 4-5) K = HMAC(K, V||0x01||provided_data). V = HMAC(K,V) */
82 return do_hmac(hmac
, 0x01, in1
, in1len
, in2
, in2len
, in3
, in3len
);
86 * SP800-90Ar1 10.1.2.3 HMAC_DRBG_Instantiate_Process:
88 * This sets the drbg Key (K) to all zeros, and Value (V) to all 1's.
89 * and then calls (K,V) = drbg_hmac_update() with input parameters:
90 * ent = entropy data (Can be NULL) of length ent_len.
91 * nonce = nonce data (Can be NULL) of length nonce_len.
92 * pstr = personalization data (Can be NULL) of length pstr_len.
94 * Returns zero if an error occurs otherwise it returns 1.
96 static int drbg_hmac_instantiate(RAND_DRBG
*drbg
,
97 const unsigned char *ent
, size_t ent_len
,
98 const unsigned char *nonce
, size_t nonce_len
,
99 const unsigned char *pstr
, size_t pstr_len
)
101 RAND_DRBG_HMAC
*hmac
= &drbg
->data
.hmac
;
103 /* (Step 2) Key = 0x00 00...00 */
104 memset(hmac
->K
, 0x00, hmac
->blocklen
);
105 /* (Step 3) V = 0x01 01...01 */
106 memset(hmac
->V
, 0x01, hmac
->blocklen
);
107 /* (Step 4) (K,V) = HMAC_DRBG_Update(entropy||nonce||pers string, K, V) */
108 return drbg_hmac_update(drbg
, ent
, ent_len
, nonce
, nonce_len
, pstr
,
113 * SP800-90Ar1 10.1.2.4 HMAC_DRBG_Reseed_Process:
115 * Reseeds the drbg's Key (K) and Value (V) by calling
116 * (K,V) = drbg_hmac_update() with the following input parameters:
117 * ent = entropy input data (Can be NULL) of length ent_len.
118 * adin = additional input data (Can be NULL) of length adin_len.
120 * Returns zero if an error occurs otherwise it returns 1.
122 static int drbg_hmac_reseed(RAND_DRBG
*drbg
,
123 const unsigned char *ent
, size_t ent_len
,
124 const unsigned char *adin
, size_t adin_len
)
126 /* (Step 2) (K,V) = HMAC_DRBG_Update(entropy||additional_input, K, V) */
127 return drbg_hmac_update(drbg
, ent
, ent_len
, adin
, adin_len
, NULL
, 0);
131 * SP800-90Ar1 10.1.2.5 HMAC_DRBG_Generate_Process:
133 * Generates pseudo random bytes and updates the internal K,V for the drbg.
134 * out is a buffer to fill with outlen bytes of pseudo random data.
135 * adin is an additional_input string of size adin_len that may be NULL.
137 * Returns zero if an error occurs otherwise it returns 1.
139 static int drbg_hmac_generate(RAND_DRBG
*drbg
,
140 unsigned char *out
, size_t outlen
,
141 const unsigned char *adin
, size_t adin_len
)
143 RAND_DRBG_HMAC
*hmac
= &drbg
->data
.hmac
;
144 HMAC_CTX
*ctx
= hmac
->ctx
;
145 const unsigned char *temp
= hmac
->V
;
147 /* (Step 2) if adin != NULL then (K,V) = HMAC_DRBG_Update(adin, K, V) */
150 && !drbg_hmac_update(drbg
, adin
, adin_len
, NULL
, 0, NULL
, 0))
154 * (Steps 3-5) temp = NULL
155 * while (len(temp) < outlen) {
161 if (!HMAC_Init_ex(ctx
, hmac
->K
, hmac
->blocklen
, hmac
->md
, NULL
)
162 || !HMAC_Update(ctx
, temp
, hmac
->blocklen
))
165 if (outlen
> hmac
->blocklen
) {
166 if (!HMAC_Final(ctx
, out
, NULL
))
170 if (!HMAC_Final(ctx
, hmac
->V
, NULL
))
172 memcpy(out
, hmac
->V
, outlen
);
175 out
+= hmac
->blocklen
;
176 outlen
-= hmac
->blocklen
;
178 /* (Step 6) (K,V) = HMAC_DRBG_Update(adin, K, V) */
179 if (!drbg_hmac_update(drbg
, adin
, adin_len
, NULL
, 0, NULL
, 0))
185 static int drbg_hmac_uninstantiate(RAND_DRBG
*drbg
)
187 EVP_MD_free(drbg
->data
.hmac
.md
);
188 HMAC_CTX_free(drbg
->data
.hmac
.ctx
);
189 OPENSSL_cleanse(&drbg
->data
.hmac
, sizeof(drbg
->data
.hmac
));
193 static RAND_DRBG_METHOD drbg_hmac_meth
= {
194 drbg_hmac_instantiate
,
197 drbg_hmac_uninstantiate
200 int drbg_hmac_init(RAND_DRBG
*drbg
)
203 RAND_DRBG_HMAC
*hmac
= &drbg
->data
.hmac
;
206 * Confirm digest is allowed. Outside FIPS_MODE we allow all non-legacy
207 * digests. Inside FIPS_MODE we only allow approved digests. Also no XOF
208 * digests (such as SHAKE).
210 switch (drbg
->type
) {
233 md
= EVP_MD_fetch(drbg
->libctx
, ossl_prov_util_nid_to_name(drbg
->type
), "");
237 drbg
->meth
= &drbg_hmac_meth
;
239 if (hmac
->ctx
== NULL
) {
240 hmac
->ctx
= HMAC_CTX_new();
241 if (hmac
->ctx
== NULL
) {
247 /* These are taken from SP 800-90 10.1 Table 2 */
248 EVP_MD_free(hmac
->md
);
250 hmac
->blocklen
= EVP_MD_size(md
);
251 /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */
252 drbg
->strength
= 64 * (int)(hmac
->blocklen
>> 3);
253 if (drbg
->strength
> 256)
254 drbg
->strength
= 256;
255 drbg
->seedlen
= hmac
->blocklen
;
257 drbg
->min_entropylen
= drbg
->strength
/ 8;
258 drbg
->max_entropylen
= DRBG_MAX_LENGTH
;
260 drbg
->min_noncelen
= drbg
->min_entropylen
/ 2;
261 drbg
->max_noncelen
= DRBG_MAX_LENGTH
;
263 drbg
->max_perslen
= DRBG_MAX_LENGTH
;
264 drbg
->max_adinlen
= DRBG_MAX_LENGTH
;
266 /* Maximum number of bits per request = 2^19 = 2^16 bytes*/
267 drbg
->max_request
= 1 << 16;