providers/implementations/rands/drbg_hmac.c

   1 /*
   2  * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 /*
  11  * HMAC low level APIs are deprecated for public use, but still ok for internal
  12  * use.
  13  */
  14 #include "internal/deprecated.h"
  15
  16 #include <stdlib.h>
  17 #include <string.h>
  18 #include <openssl/crypto.h>
  19 #include <openssl/err.h>
  20 #include <openssl/rand.h>
  21 #include "internal/thread_once.h"
  22 #include "prov/providercommon.h"
  23 #include "rand_local.h"
  24
  25 /*
  26  * Called twice by SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process.
  27  *
  28  * hmac is an object that holds the input/output Key and Value (K and V).
  29  * inbyte is 0x00 on the first call and 0x01 on the second call.
  30  * in1, in2, in3 are optional inputs that can be NULL.
  31  * in1len, in2len, in3len are the lengths of the input buffers.
  32  *
  33  * The returned K,V is:
  34  *   hmac->K = HMAC(hmac->K, hmac->V || inbyte || [in1] || [in2] || [in3])
  35  *   hmac->V = HMAC(hmac->K, hmac->V)
  36  *
  37  * Returns zero if an error occurs otherwise it returns 1.
  38  */
  39 static int do_hmac(RAND_DRBG_HMAC *hmac, unsigned char inbyte,
  40                    const unsigned char *in1, size_t in1len,
  41                    const unsigned char *in2, size_t in2len,
  42                    const unsigned char *in3, size_t in3len)
  43 {
  44     HMAC_CTX *ctx = hmac->ctx;
  45
  46     return HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
  47            /* K = HMAC(K, V || inbyte || [in1] || [in2] || [in3]) */
  48            && HMAC_Update(ctx, hmac->V, hmac->blocklen)
  49            && HMAC_Update(ctx, &inbyte, 1)
  50            && (in1 == NULL || in1len == 0 || HMAC_Update(ctx, in1, in1len))
  51            && (in2 == NULL || in2len == 0 || HMAC_Update(ctx, in2, in2len))
  52            && (in3 == NULL || in3len == 0 || HMAC_Update(ctx, in3, in3len))
  53            && HMAC_Final(ctx, hmac->K, NULL)
  54            /* V = HMAC(K, V) */
  55            && HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
  56            && HMAC_Update(ctx, hmac->V, hmac->blocklen)
  57            && HMAC_Final(ctx, hmac->V, NULL);
  58 }
  59
  60 /*
  61  * SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process
  62  *
  63  *
  64  * Updates the drbg objects Key(K) and Value(V) using the following algorithm:
  65  *   K,V = do_hmac(hmac, 0, in1, in2, in3)
  66  *   if (any input is not NULL)
  67  *     K,V = do_hmac(hmac, 1, in1, in2, in3)
  68  *
  69  * where in1, in2, in3 are optional input buffers that can be NULL.
  70  *       in1len, in2len, in3len are the lengths of the input buffers.
  71  *
  72  * Returns zero if an error occurs otherwise it returns 1.
  73  */
  74 static int drbg_hmac_update(RAND_DRBG *drbg,
  75                             const unsigned char *in1, size_t in1len,
  76                             const unsigned char *in2, size_t in2len,
  77                             const unsigned char *in3, size_t in3len)
  78 {
  79     RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
  80
  81     /* (Steps 1-2) K = HMAC(K, V||0x00||provided_data). V = HMAC(K,V) */
  82     if (!do_hmac(hmac, 0x00, in1, in1len, in2, in2len, in3, in3len))
  83         return 0;
  84     /* (Step 3) If provided_data == NULL then return (K,V) */
  85     if (in1len == 0 && in2len == 0 && in3len == 0)
  86         return 1;
  87     /* (Steps 4-5) K = HMAC(K, V||0x01||provided_data). V = HMAC(K,V) */
  88     return do_hmac(hmac, 0x01, in1, in1len, in2, in2len, in3, in3len);
  89 }
  90
  91 /*
  92  * SP800-90Ar1 10.1.2.3 HMAC_DRBG_Instantiate_Process:
  93  *
  94  * This sets the drbg Key (K) to all zeros, and Value (V) to all 1's.
  95  * and then calls (K,V) = drbg_hmac_update() with input parameters:
  96  *   ent = entropy data (Can be NULL) of length ent_len.
  97  *   nonce = nonce data (Can be NULL) of length nonce_len.
  98  *   pstr = personalization data (Can be NULL) of length pstr_len.
  99  *
 100  * Returns zero if an error occurs otherwise it returns 1.
 101  */
 102 static int drbg_hmac_instantiate(RAND_DRBG *drbg,
 103                                  const unsigned char *ent, size_t ent_len,
 104                                  const unsigned char *nonce, size_t nonce_len,
 105                                  const unsigned char *pstr, size_t pstr_len)
 106 {
 107     RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
 108
 109     /* (Step 2) Key = 0x00 00...00 */
 110     memset(hmac->K, 0x00, hmac->blocklen);
 111     /* (Step 3) V = 0x01 01...01 */
 112     memset(hmac->V, 0x01, hmac->blocklen);
 113     /* (Step 4) (K,V) = HMAC_DRBG_Update(entropy||nonce||pers string, K, V) */
 114     return drbg_hmac_update(drbg, ent, ent_len, nonce, nonce_len, pstr,
 115                             pstr_len);
 116 }
 117
 118 /*
 119  * SP800-90Ar1 10.1.2.4 HMAC_DRBG_Reseed_Process:
 120  *
 121  * Reseeds the drbg's Key (K) and Value (V) by calling
 122  * (K,V) = drbg_hmac_update() with the following input parameters:
 123  *   ent = entropy input data (Can be NULL) of length ent_len.
 124  *   adin = additional input data (Can be NULL) of length adin_len.
 125  *
 126  * Returns zero if an error occurs otherwise it returns 1.
 127  */
 128 static int drbg_hmac_reseed(RAND_DRBG *drbg,
 129                             const unsigned char *ent, size_t ent_len,
 130                             const unsigned char *adin, size_t adin_len)
 131 {
 132     /* (Step 2) (K,V) = HMAC_DRBG_Update(entropy||additional_input, K, V) */
 133     return drbg_hmac_update(drbg, ent, ent_len, adin, adin_len, NULL, 0);
 134 }
 135
 136 /*
 137  * SP800-90Ar1 10.1.2.5 HMAC_DRBG_Generate_Process:
 138  *
 139  * Generates pseudo random bytes and updates the internal K,V for the drbg.
 140  * out is a buffer to fill with outlen bytes of pseudo random data.
 141  * adin is an additional_input string of size adin_len that may be NULL.
 142  *
 143  * Returns zero if an error occurs otherwise it returns 1.
 144  */
 145 static int drbg_hmac_generate(RAND_DRBG *drbg,
 146                               unsigned char *out, size_t outlen,
 147                               const unsigned char *adin, size_t adin_len)
 148 {
 149     RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
 150     HMAC_CTX *ctx = hmac->ctx;
 151     const unsigned char *temp = hmac->V;
 152
 153     /* (Step 2) if adin != NULL then (K,V) = HMAC_DRBG_Update(adin, K, V) */
 154     if (adin != NULL
 155             && adin_len > 0
 156             && !drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0))
 157         return 0;
 158
 159     /*
 160      * (Steps 3-5) temp = NULL
 161      *             while (len(temp) < outlen) {
 162      *                 V = HMAC(K, V)
 163      *                 temp = temp || V
 164      *             }
 165      */
 166     for (;;) {
 167         if (!HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
 168                 || !HMAC_Update(ctx, temp, hmac->blocklen))
 169             return 0;
 170
 171         if (outlen > hmac->blocklen) {
 172             if (!HMAC_Final(ctx, out, NULL))
 173                 return 0;
 174             temp = out;
 175         } else {
 176             if (!HMAC_Final(ctx, hmac->V, NULL))
 177                 return 0;
 178             memcpy(out, hmac->V, outlen);
 179             break;
 180         }
 181         out += hmac->blocklen;
 182         outlen -= hmac->blocklen;
 183     }
 184     /* (Step 6) (K,V) = HMAC_DRBG_Update(adin, K, V) */
 185     if (!drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0))
 186         return 0;
 187
 188     return 1;
 189 }
 190
 191 static int drbg_hmac_uninstantiate(RAND_DRBG *drbg)
 192 {
 193     EVP_MD_free(drbg->data.hmac.md);
 194     HMAC_CTX_free(drbg->data.hmac.ctx);
 195     OPENSSL_cleanse(&drbg->data.hmac, sizeof(drbg->data.hmac));
 196     return 1;
 197 }
 198
 199 static RAND_DRBG_METHOD drbg_hmac_meth = {
 200     drbg_hmac_instantiate,
 201     drbg_hmac_reseed,
 202     drbg_hmac_generate,
 203     drbg_hmac_uninstantiate
 204 };
 205
 206 int drbg_hmac_init(RAND_DRBG *drbg)
 207 {
 208     EVP_MD *md = NULL;
 209     RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
 210
 211     /*
 212      * Confirm digest is allowed. We allow all digests that are not XOF
 213      * (such as SHAKE).  In FIPS mode, the fetch will fail for non-approved
 214      * digests.
 215      */
 216     md = EVP_MD_fetch(drbg->libctx, ossl_prov_util_nid_to_name(drbg->type), "");
 217     if (md == NULL)
 218         return 0;
 219
 220     if ((EVP_MD_flags(md) & EVP_MD_FLAG_XOF) != 0)
 221         return 0;
 222
 223     drbg->meth = &drbg_hmac_meth;
 224
 225     if (hmac->ctx == NULL) {
 226         hmac->ctx = HMAC_CTX_new();
 227         if (hmac->ctx == NULL) {
 228             EVP_MD_free(md);
 229             return 0;
 230         }
 231     }
 232
 233     /* These are taken from SP 800-90 10.1 Table 2 */
 234     EVP_MD_free(hmac->md);
 235     hmac->md = md;
 236     hmac->blocklen = EVP_MD_size(md);
 237     /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */
 238     drbg->strength = 64 * (int)(hmac->blocklen >> 3);
 239     if (drbg->strength > 256)
 240         drbg->strength = 256;
 241     drbg->seedlen = hmac->blocklen;
 242
 243     drbg->min_entropylen = drbg->strength / 8;
 244     drbg->max_entropylen = DRBG_MAX_LENGTH;
 245
 246     drbg->min_noncelen = drbg->min_entropylen / 2;
 247     drbg->max_noncelen = DRBG_MAX_LENGTH;
 248
 249     drbg->max_perslen = DRBG_MAX_LENGTH;
 250     drbg->max_adinlen = DRBG_MAX_LENGTH;
 251
 252     /* Maximum number of bits per request = 2^19 = 2^16 bytes*/
 253     drbg->max_request = 1 << 16;
 254
 255     return 1;
 256 }