]>
Commit | Line | Data |
---|---|---|
8bf36651 | 1 | /* |
da1c088f | 2 | * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. |
8bf36651 | 3 | * |
0db63de9 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
8bf36651 SL |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <stdlib.h> | |
11 | #include <string.h> | |
12 | #include <openssl/crypto.h> | |
13 | #include <openssl/err.h> | |
14 | #include <openssl/rand.h> | |
2741128e | 15 | #include <openssl/proverr.h> |
8bf36651 | 16 | #include "internal/thread_once.h" |
ddd21319 | 17 | #include "prov/providercommon.h" |
f000e828 P |
18 | #include "prov/implementations.h" |
19 | #include "prov/provider_ctx.h" | |
f3090fc7 | 20 | #include "prov/hmac_drbg.h" |
f000e828 P |
21 | #include "drbg_local.h" |
22 | ||
363b1e5d DMSP |
23 | static OSSL_FUNC_rand_newctx_fn drbg_hmac_new_wrapper; |
24 | static OSSL_FUNC_rand_freectx_fn drbg_hmac_free; | |
25 | static OSSL_FUNC_rand_instantiate_fn drbg_hmac_instantiate_wrapper; | |
26 | static OSSL_FUNC_rand_uninstantiate_fn drbg_hmac_uninstantiate_wrapper; | |
27 | static OSSL_FUNC_rand_generate_fn drbg_hmac_generate_wrapper; | |
28 | static OSSL_FUNC_rand_reseed_fn drbg_hmac_reseed_wrapper; | |
29 | static OSSL_FUNC_rand_settable_ctx_params_fn drbg_hmac_settable_ctx_params; | |
30 | static OSSL_FUNC_rand_set_ctx_params_fn drbg_hmac_set_ctx_params; | |
31 | static OSSL_FUNC_rand_gettable_ctx_params_fn drbg_hmac_gettable_ctx_params; | |
32 | static OSSL_FUNC_rand_get_ctx_params_fn drbg_hmac_get_ctx_params; | |
33 | static OSSL_FUNC_rand_verify_zeroization_fn drbg_hmac_verify_zeroization; | |
f000e828 | 34 | |
189ad3ab MC |
35 | static int drbg_hmac_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[]); |
36 | ||
8bf36651 SL |
37 | /* |
38 | * Called twice by SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process. | |
39 | * | |
40 | * hmac is an object that holds the input/output Key and Value (K and V). | |
41 | * inbyte is 0x00 on the first call and 0x01 on the second call. | |
42 | * in1, in2, in3 are optional inputs that can be NULL. | |
43 | * in1len, in2len, in3len are the lengths of the input buffers. | |
44 | * | |
45 | * The returned K,V is: | |
46 | * hmac->K = HMAC(hmac->K, hmac->V || inbyte || [in1] || [in2] || [in3]) | |
47 | * hmac->V = HMAC(hmac->K, hmac->V) | |
48 | * | |
49 | * Returns zero if an error occurs otherwise it returns 1. | |
50 | */ | |
f000e828 | 51 | static int do_hmac(PROV_DRBG_HMAC *hmac, unsigned char inbyte, |
8bf36651 SL |
52 | const unsigned char *in1, size_t in1len, |
53 | const unsigned char *in2, size_t in2len, | |
54 | const unsigned char *in3, size_t in3len) | |
55 | { | |
f000e828 | 56 | EVP_MAC_CTX *ctx = hmac->ctx; |
f000e828 | 57 | |
cf5784aa | 58 | if (!EVP_MAC_init(ctx, hmac->K, hmac->blocklen, NULL) |
f000e828 P |
59 | /* K = HMAC(K, V || inbyte || [in1] || [in2] || [in3]) */ |
60 | || !EVP_MAC_update(ctx, hmac->V, hmac->blocklen) | |
61 | || !EVP_MAC_update(ctx, &inbyte, 1) | |
62 | || !(in1 == NULL || in1len == 0 || EVP_MAC_update(ctx, in1, in1len)) | |
63 | || !(in2 == NULL || in2len == 0 || EVP_MAC_update(ctx, in2, in2len)) | |
64 | || !(in3 == NULL || in3len == 0 || EVP_MAC_update(ctx, in3, in3len)) | |
65 | || !EVP_MAC_final(ctx, hmac->K, NULL, sizeof(hmac->K))) | |
66 | return 0; | |
67 | ||
68 | /* V = HMAC(K, V) */ | |
cf5784aa | 69 | return EVP_MAC_init(ctx, hmac->K, hmac->blocklen, NULL) |
f000e828 P |
70 | && EVP_MAC_update(ctx, hmac->V, hmac->blocklen) |
71 | && EVP_MAC_final(ctx, hmac->V, NULL, sizeof(hmac->V)); | |
8bf36651 SL |
72 | } |
73 | ||
74 | /* | |
75 | * SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process | |
76 | * | |
77 | * | |
78 | * Updates the drbg objects Key(K) and Value(V) using the following algorithm: | |
79 | * K,V = do_hmac(hmac, 0, in1, in2, in3) | |
80 | * if (any input is not NULL) | |
81 | * K,V = do_hmac(hmac, 1, in1, in2, in3) | |
82 | * | |
83 | * where in1, in2, in3 are optional input buffers that can be NULL. | |
84 | * in1len, in2len, in3len are the lengths of the input buffers. | |
85 | * | |
86 | * Returns zero if an error occurs otherwise it returns 1. | |
87 | */ | |
f3090fc7 | 88 | static int drbg_hmac_update(PROV_DRBG_HMAC *hmac, |
8bf36651 SL |
89 | const unsigned char *in1, size_t in1len, |
90 | const unsigned char *in2, size_t in2len, | |
91 | const unsigned char *in3, size_t in3len) | |
92 | { | |
8bf36651 SL |
93 | /* (Steps 1-2) K = HMAC(K, V||0x00||provided_data). V = HMAC(K,V) */ |
94 | if (!do_hmac(hmac, 0x00, in1, in1len, in2, in2len, in3, in3len)) | |
95 | return 0; | |
96 | /* (Step 3) If provided_data == NULL then return (K,V) */ | |
97 | if (in1len == 0 && in2len == 0 && in3len == 0) | |
98 | return 1; | |
99 | /* (Steps 4-5) K = HMAC(K, V||0x01||provided_data). V = HMAC(K,V) */ | |
100 | return do_hmac(hmac, 0x01, in1, in1len, in2, in2len, in3, in3len); | |
101 | } | |
102 | ||
103 | /* | |
104 | * SP800-90Ar1 10.1.2.3 HMAC_DRBG_Instantiate_Process: | |
105 | * | |
106 | * This sets the drbg Key (K) to all zeros, and Value (V) to all 1's. | |
107 | * and then calls (K,V) = drbg_hmac_update() with input parameters: | |
108 | * ent = entropy data (Can be NULL) of length ent_len. | |
109 | * nonce = nonce data (Can be NULL) of length nonce_len. | |
110 | * pstr = personalization data (Can be NULL) of length pstr_len. | |
111 | * | |
112 | * Returns zero if an error occurs otherwise it returns 1. | |
113 | */ | |
f3090fc7 | 114 | int ossl_drbg_hmac_init(PROV_DRBG_HMAC *hmac, |
115 | const unsigned char *ent, size_t ent_len, | |
116 | const unsigned char *nonce, size_t nonce_len, | |
117 | const unsigned char *pstr, size_t pstr_len) | |
8bf36651 | 118 | { |
f000e828 P |
119 | if (hmac->ctx == NULL) { |
120 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MAC); | |
121 | return 0; | |
122 | } | |
8bf36651 SL |
123 | |
124 | /* (Step 2) Key = 0x00 00...00 */ | |
125 | memset(hmac->K, 0x00, hmac->blocklen); | |
126 | /* (Step 3) V = 0x01 01...01 */ | |
127 | memset(hmac->V, 0x01, hmac->blocklen); | |
128 | /* (Step 4) (K,V) = HMAC_DRBG_Update(entropy||nonce||pers string, K, V) */ | |
f3090fc7 | 129 | return drbg_hmac_update(hmac, ent, ent_len, nonce, nonce_len, pstr, |
8bf36651 SL |
130 | pstr_len); |
131 | } | |
f3090fc7 | 132 | static int drbg_hmac_instantiate(PROV_DRBG *drbg, |
133 | const unsigned char *ent, size_t ent_len, | |
134 | const unsigned char *nonce, size_t nonce_len, | |
135 | const unsigned char *pstr, size_t pstr_len) | |
136 | { | |
137 | return ossl_drbg_hmac_init((PROV_DRBG_HMAC *)drbg->data, ent, ent_len, | |
138 | nonce, nonce_len, pstr, pstr_len); | |
139 | } | |
8bf36651 | 140 | |
f000e828 P |
141 | static int drbg_hmac_instantiate_wrapper(void *vdrbg, unsigned int strength, |
142 | int prediction_resistance, | |
143 | const unsigned char *pstr, | |
b98d550d P |
144 | size_t pstr_len, |
145 | const OSSL_PARAM params[]) | |
f000e828 P |
146 | { |
147 | PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; | |
189ad3ab | 148 | int ret = 0; |
f000e828 | 149 | |
189ad3ab | 150 | if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock)) |
b98d550d | 151 | return 0; |
189ad3ab MC |
152 | |
153 | if (!ossl_prov_is_running() | |
154 | || !drbg_hmac_set_ctx_params_locked(drbg, params)) | |
155 | goto err; | |
156 | ret = ossl_prov_drbg_instantiate(drbg, strength, prediction_resistance, | |
157 | pstr, pstr_len); | |
158 | err: | |
159 | if (drbg->lock != NULL) | |
160 | CRYPTO_THREAD_unlock(drbg->lock); | |
161 | return ret; | |
f000e828 P |
162 | } |
163 | ||
189ad3ab | 164 | |
8bf36651 SL |
165 | /* |
166 | * SP800-90Ar1 10.1.2.4 HMAC_DRBG_Reseed_Process: | |
167 | * | |
168 | * Reseeds the drbg's Key (K) and Value (V) by calling | |
169 | * (K,V) = drbg_hmac_update() with the following input parameters: | |
170 | * ent = entropy input data (Can be NULL) of length ent_len. | |
171 | * adin = additional input data (Can be NULL) of length adin_len. | |
172 | * | |
173 | * Returns zero if an error occurs otherwise it returns 1. | |
174 | */ | |
f000e828 | 175 | static int drbg_hmac_reseed(PROV_DRBG *drbg, |
8bf36651 SL |
176 | const unsigned char *ent, size_t ent_len, |
177 | const unsigned char *adin, size_t adin_len) | |
178 | { | |
f3090fc7 | 179 | PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data; |
180 | ||
8bf36651 | 181 | /* (Step 2) (K,V) = HMAC_DRBG_Update(entropy||additional_input, K, V) */ |
f3090fc7 | 182 | return drbg_hmac_update(hmac, ent, ent_len, adin, adin_len, NULL, 0); |
8bf36651 SL |
183 | } |
184 | ||
f000e828 P |
185 | static int drbg_hmac_reseed_wrapper(void *vdrbg, int prediction_resistance, |
186 | const unsigned char *ent, size_t ent_len, | |
187 | const unsigned char *adin, size_t adin_len) | |
188 | { | |
189 | PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; | |
190 | ||
7d6766cb P |
191 | return ossl_prov_drbg_reseed(drbg, prediction_resistance, ent, ent_len, |
192 | adin, adin_len); | |
f000e828 P |
193 | } |
194 | ||
8bf36651 SL |
195 | /* |
196 | * SP800-90Ar1 10.1.2.5 HMAC_DRBG_Generate_Process: | |
197 | * | |
198 | * Generates pseudo random bytes and updates the internal K,V for the drbg. | |
199 | * out is a buffer to fill with outlen bytes of pseudo random data. | |
200 | * adin is an additional_input string of size adin_len that may be NULL. | |
201 | * | |
202 | * Returns zero if an error occurs otherwise it returns 1. | |
203 | */ | |
f3090fc7 | 204 | int ossl_drbg_hmac_generate(PROV_DRBG_HMAC *hmac, |
205 | unsigned char *out, size_t outlen, | |
206 | const unsigned char *adin, size_t adin_len) | |
8bf36651 | 207 | { |
f000e828 | 208 | EVP_MAC_CTX *ctx = hmac->ctx; |
8bf36651 SL |
209 | const unsigned char *temp = hmac->V; |
210 | ||
211 | /* (Step 2) if adin != NULL then (K,V) = HMAC_DRBG_Update(adin, K, V) */ | |
212 | if (adin != NULL | |
213 | && adin_len > 0 | |
f3090fc7 | 214 | && !drbg_hmac_update(hmac, adin, adin_len, NULL, 0, NULL, 0)) |
8bf36651 SL |
215 | return 0; |
216 | ||
217 | /* | |
218 | * (Steps 3-5) temp = NULL | |
219 | * while (len(temp) < outlen) { | |
220 | * V = HMAC(K, V) | |
221 | * temp = temp || V | |
222 | * } | |
223 | */ | |
224 | for (;;) { | |
cf5784aa | 225 | if (!EVP_MAC_init(ctx, hmac->K, hmac->blocklen, NULL) |
f000e828 | 226 | || !EVP_MAC_update(ctx, temp, hmac->blocklen)) |
8bf36651 SL |
227 | return 0; |
228 | ||
229 | if (outlen > hmac->blocklen) { | |
f000e828 | 230 | if (!EVP_MAC_final(ctx, out, NULL, outlen)) |
8bf36651 SL |
231 | return 0; |
232 | temp = out; | |
233 | } else { | |
f000e828 | 234 | if (!EVP_MAC_final(ctx, hmac->V, NULL, sizeof(hmac->V))) |
8bf36651 SL |
235 | return 0; |
236 | memcpy(out, hmac->V, outlen); | |
237 | break; | |
238 | } | |
239 | out += hmac->blocklen; | |
240 | outlen -= hmac->blocklen; | |
241 | } | |
242 | /* (Step 6) (K,V) = HMAC_DRBG_Update(adin, K, V) */ | |
f3090fc7 | 243 | if (!drbg_hmac_update(hmac, adin, adin_len, NULL, 0, NULL, 0)) |
8bf36651 SL |
244 | return 0; |
245 | ||
246 | return 1; | |
247 | } | |
248 | ||
f3090fc7 | 249 | static int drbg_hmac_generate(PROV_DRBG *drbg, |
250 | unsigned char *out, size_t outlen, | |
251 | const unsigned char *adin, size_t adin_len) | |
252 | { | |
253 | return ossl_drbg_hmac_generate((PROV_DRBG_HMAC *)drbg->data, out, outlen, | |
254 | adin, adin_len); | |
255 | } | |
256 | ||
257 | static int drbg_hmac_generate_wrapper(void *vdrbg, | |
258 | unsigned char *out, size_t outlen, unsigned int strength, | |
f000e828 | 259 | int prediction_resistance, const unsigned char *adin, size_t adin_len) |
8bf36651 | 260 | { |
f000e828 P |
261 | PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; |
262 | ||
7d6766cb P |
263 | return ossl_prov_drbg_generate(drbg, out, outlen, strength, |
264 | prediction_resistance, adin, adin_len); | |
8bf36651 SL |
265 | } |
266 | ||
f000e828 P |
267 | static int drbg_hmac_uninstantiate(PROV_DRBG *drbg) |
268 | { | |
269 | PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data; | |
8bf36651 | 270 | |
f000e828 P |
271 | OPENSSL_cleanse(hmac->K, sizeof(hmac->K)); |
272 | OPENSSL_cleanse(hmac->V, sizeof(hmac->V)); | |
7d6766cb | 273 | return ossl_prov_drbg_uninstantiate(drbg); |
f000e828 P |
274 | } |
275 | ||
276 | static int drbg_hmac_uninstantiate_wrapper(void *vdrbg) | |
8bf36651 | 277 | { |
189ad3ab MC |
278 | PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; |
279 | int ret; | |
280 | ||
281 | if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock)) | |
282 | return 0; | |
283 | ||
284 | ret = drbg_hmac_uninstantiate(drbg); | |
285 | ||
286 | if (drbg->lock != NULL) | |
287 | CRYPTO_THREAD_unlock(drbg->lock); | |
288 | ||
289 | return ret; | |
f000e828 | 290 | } |
8bf36651 | 291 | |
f000e828 P |
292 | static int drbg_hmac_verify_zeroization(void *vdrbg) |
293 | { | |
294 | PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; | |
295 | PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data; | |
189ad3ab MC |
296 | int ret = 0; |
297 | ||
298 | if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock)) | |
299 | return 0; | |
8bf36651 | 300 | |
10fe5e29 DP |
301 | PROV_DRBG_VERIFY_ZEROIZATION(hmac->K); |
302 | PROV_DRBG_VERIFY_ZEROIZATION(hmac->V); | |
189ad3ab MC |
303 | |
304 | ret = 1; | |
305 | err: | |
306 | if (drbg->lock != NULL) | |
307 | CRYPTO_THREAD_unlock(drbg->lock); | |
308 | return ret; | |
f000e828 | 309 | } |
5d0cf102 | 310 | |
f000e828 P |
311 | static int drbg_hmac_new(PROV_DRBG *drbg) |
312 | { | |
313 | PROV_DRBG_HMAC *hmac; | |
8bf36651 | 314 | |
f000e828 | 315 | hmac = OPENSSL_secure_zalloc(sizeof(*hmac)); |
e077455e | 316 | if (hmac == NULL) |
f000e828 | 317 | return 0; |
8bf36651 | 318 | |
f000e828 | 319 | drbg->data = hmac; |
8bf36651 | 320 | /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */ |
3064b551 | 321 | drbg->max_entropylen = DRBG_MAX_LENGTH; |
3064b551 | 322 | drbg->max_noncelen = DRBG_MAX_LENGTH; |
8bf36651 SL |
323 | drbg->max_perslen = DRBG_MAX_LENGTH; |
324 | drbg->max_adinlen = DRBG_MAX_LENGTH; | |
325 | ||
f000e828 | 326 | /* Maximum number of bits per request = 2^19 = 2^16 bytes */ |
8bf36651 | 327 | drbg->max_request = 1 << 16; |
8bf36651 SL |
328 | return 1; |
329 | } | |
f000e828 P |
330 | |
331 | static void *drbg_hmac_new_wrapper(void *provctx, void *parent, | |
332 | const OSSL_DISPATCH *parent_dispatch) | |
333 | { | |
cb4f7a6e TM |
334 | return ossl_rand_drbg_new(provctx, parent, parent_dispatch, |
335 | &drbg_hmac_new, &drbg_hmac_free, | |
f000e828 P |
336 | &drbg_hmac_instantiate, &drbg_hmac_uninstantiate, |
337 | &drbg_hmac_reseed, &drbg_hmac_generate); | |
338 | } | |
339 | ||
340 | static void drbg_hmac_free(void *vdrbg) | |
341 | { | |
342 | PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; | |
343 | PROV_DRBG_HMAC *hmac; | |
344 | ||
345 | if (drbg != NULL && (hmac = (PROV_DRBG_HMAC *)drbg->data) != NULL) { | |
e4162f86 | 346 | EVP_MAC_CTX_free(hmac->ctx); |
f000e828 P |
347 | ossl_prov_digest_reset(&hmac->digest); |
348 | OPENSSL_secure_clear_free(hmac, sizeof(*hmac)); | |
349 | } | |
1dc188ba | 350 | ossl_rand_drbg_free(drbg); |
f000e828 P |
351 | } |
352 | ||
353 | static int drbg_hmac_get_ctx_params(void *vdrbg, OSSL_PARAM params[]) | |
354 | { | |
355 | PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; | |
0ed26fb6 P |
356 | PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data; |
357 | const char *name; | |
358 | const EVP_MD *md; | |
359 | OSSL_PARAM *p; | |
61f11cad MC |
360 | int ret = 0, complete = 0; |
361 | ||
362 | if (!ossl_drbg_get_ctx_params_no_lock(drbg, params, &complete)) | |
363 | return 0; | |
364 | ||
365 | if (complete) | |
366 | return 1; | |
189ad3ab MC |
367 | |
368 | if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock)) | |
369 | return 0; | |
0ed26fb6 P |
370 | |
371 | p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAC); | |
372 | if (p != NULL) { | |
373 | if (hmac->ctx == NULL) | |
189ad3ab | 374 | goto err; |
ed576acd | 375 | name = EVP_MAC_get0_name(EVP_MAC_CTX_get0_mac(hmac->ctx)); |
0ed26fb6 | 376 | if (!OSSL_PARAM_set_utf8_string(p, name)) |
189ad3ab | 377 | goto err; |
0ed26fb6 P |
378 | } |
379 | ||
380 | p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_DIGEST); | |
381 | if (p != NULL) { | |
382 | md = ossl_prov_digest_md(&hmac->digest); | |
ed576acd | 383 | if (md == NULL || !OSSL_PARAM_set_utf8_string(p, EVP_MD_get0_name(md))) |
189ad3ab | 384 | goto err; |
0ed26fb6 | 385 | } |
f000e828 | 386 | |
189ad3ab MC |
387 | ret = ossl_drbg_get_ctx_params(drbg, params); |
388 | err: | |
389 | if (drbg->lock != NULL) | |
390 | CRYPTO_THREAD_unlock(drbg->lock); | |
391 | ||
392 | return ret; | |
f000e828 P |
393 | } |
394 | ||
a3f091fd P |
395 | static const OSSL_PARAM *drbg_hmac_gettable_ctx_params(ossl_unused void *vctx, |
396 | ossl_unused void *p_ctx) | |
f000e828 P |
397 | { |
398 | static const OSSL_PARAM known_gettable_ctx_params[] = { | |
0ed26fb6 P |
399 | OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_MAC, NULL, 0), |
400 | OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_DIGEST, NULL, 0), | |
82a7b2fb | 401 | OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON, |
f000e828 P |
402 | OSSL_PARAM_END |
403 | }; | |
404 | return known_gettable_ctx_params; | |
405 | } | |
406 | ||
189ad3ab | 407 | static int drbg_hmac_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[]) |
f000e828 P |
408 | { |
409 | PROV_DRBG *ctx = (PROV_DRBG *)vctx; | |
410 | PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)ctx->data; | |
a829b735 | 411 | OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); |
f000e828 P |
412 | const EVP_MD *md; |
413 | ||
414 | if (!ossl_prov_digest_load_from_params(&hmac->digest, params, libctx)) | |
415 | return 0; | |
416 | ||
f000e828 | 417 | md = ossl_prov_digest_md(&hmac->digest); |
f553c0f0 P |
418 | if (md != NULL && !ossl_drbg_verify_digest(libctx, md)) |
419 | return 0; /* Error already raised for us */ | |
f000e828 P |
420 | |
421 | if (!ossl_prov_macctx_load_from_params(&hmac->ctx, params, | |
422 | NULL, NULL, NULL, libctx)) | |
423 | return 0; | |
424 | ||
f553c0f0 | 425 | if (md != NULL && hmac->ctx != NULL) { |
f000e828 | 426 | /* These are taken from SP 800-90 10.1 Table 2 */ |
ed576acd | 427 | hmac->blocklen = EVP_MD_get_size(md); |
f000e828 P |
428 | /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */ |
429 | ctx->strength = 64 * (int)(hmac->blocklen >> 3); | |
430 | if (ctx->strength > 256) | |
431 | ctx->strength = 256; | |
432 | ctx->seedlen = hmac->blocklen; | |
433 | ctx->min_entropylen = ctx->strength / 8; | |
434 | ctx->min_noncelen = ctx->min_entropylen / 2; | |
435 | } | |
436 | ||
b24d6c33 | 437 | return ossl_drbg_set_ctx_params(ctx, params); |
f000e828 P |
438 | } |
439 | ||
189ad3ab MC |
440 | static int drbg_hmac_set_ctx_params(void *vctx, const OSSL_PARAM params[]) |
441 | { | |
442 | PROV_DRBG *drbg = (PROV_DRBG *)vctx; | |
443 | int ret; | |
444 | ||
445 | if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock)) | |
446 | return 0; | |
447 | ||
448 | ret = drbg_hmac_set_ctx_params_locked(vctx, params); | |
449 | ||
450 | if (drbg->lock != NULL) | |
451 | CRYPTO_THREAD_unlock(drbg->lock); | |
452 | ||
453 | return ret; | |
454 | } | |
455 | ||
a3f091fd P |
456 | static const OSSL_PARAM *drbg_hmac_settable_ctx_params(ossl_unused void *vctx, |
457 | ossl_unused void *p_ctx) | |
f000e828 P |
458 | { |
459 | static const OSSL_PARAM known_settable_ctx_params[] = { | |
460 | OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0), | |
461 | OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_DIGEST, NULL, 0), | |
462 | OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_MAC, NULL, 0), | |
82a7b2fb | 463 | OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON, |
f000e828 P |
464 | OSSL_PARAM_END |
465 | }; | |
466 | return known_settable_ctx_params; | |
467 | } | |
468 | ||
1be63951 | 469 | const OSSL_DISPATCH ossl_drbg_ossl_hmac_functions[] = { |
f000e828 P |
470 | { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))drbg_hmac_new_wrapper }, |
471 | { OSSL_FUNC_RAND_FREECTX, (void(*)(void))drbg_hmac_free }, | |
472 | { OSSL_FUNC_RAND_INSTANTIATE, | |
473 | (void(*)(void))drbg_hmac_instantiate_wrapper }, | |
474 | { OSSL_FUNC_RAND_UNINSTANTIATE, | |
475 | (void(*)(void))drbg_hmac_uninstantiate_wrapper }, | |
476 | { OSSL_FUNC_RAND_GENERATE, (void(*)(void))drbg_hmac_generate_wrapper }, | |
477 | { OSSL_FUNC_RAND_RESEED, (void(*)(void))drbg_hmac_reseed_wrapper }, | |
b24d6c33 P |
478 | { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))ossl_drbg_enable_locking }, |
479 | { OSSL_FUNC_RAND_LOCK, (void(*)(void))ossl_drbg_lock }, | |
480 | { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))ossl_drbg_unlock }, | |
f000e828 P |
481 | { OSSL_FUNC_RAND_SETTABLE_CTX_PARAMS, |
482 | (void(*)(void))drbg_hmac_settable_ctx_params }, | |
483 | { OSSL_FUNC_RAND_SET_CTX_PARAMS, (void(*)(void))drbg_hmac_set_ctx_params }, | |
484 | { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS, | |
485 | (void(*)(void))drbg_hmac_gettable_ctx_params }, | |
486 | { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))drbg_hmac_get_ctx_params }, | |
f000e828 P |
487 | { OSSL_FUNC_RAND_VERIFY_ZEROIZATION, |
488 | (void(*)(void))drbg_hmac_verify_zeroization }, | |
335e85f5 P |
489 | { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))ossl_drbg_get_seed }, |
490 | { OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))ossl_drbg_clear_seed }, | |
1e6bd31e | 491 | OSSL_DISPATCH_END |
f000e828 | 492 | }; |