2 * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/bn.h>
11 #include <openssl/evp.h>
12 #include <openssl/core_names.h>
13 #include <openssl/kdf.h>
14 #include "internal/deterministic_nonce.h"
17 * Convert a Bit String to an Integer (See RFC 6979 Section 2.3.2)
20 * out The returned Integer as a BIGNUM
21 * qlen_bits The maximum size of the returned integer in bits. The returned
22 * Integer is shifted right if inlen is larger than qlen_bits..
23 * in, inlen The input Bit String (in bytes).
24 * Returns: 1 if successful, or 0 otherwise.
26 static int bits2int(BIGNUM
*out
, int qlen_bits
,
27 const unsigned char *in
, size_t inlen
)
29 int blen_bits
= inlen
* 8;
32 if (BN_bin2bn(in
, (int)inlen
, out
) == NULL
)
35 shift
= blen_bits
- qlen_bits
;
37 return BN_rshift(out
, out
, shift
);
42 * Convert an Integer to an Octet String (See RFC 6979 2.3.3).
43 * The value is zero padded if required.
46 * out The returned Octet String
47 * num The input Integer
48 * rlen The required size of the returned Octet String in bytes
49 * Returns: 1 if successful, or 0 otherwise.
51 static int int2octets(unsigned char *out
, const BIGNUM
*num
, int rlen
)
53 return BN_bn2binpad(num
, out
, rlen
) >= 0;
57 * Convert a Bit String to an Octet String (See RFC 6979 Section 2.3.4)
60 * out The returned octet string.
62 * qlen_bits The length of q in bits
63 * rlen The value of qlen_bits rounded up to the nearest 8 bits.
64 * in, inlen The input bit string (in bytes)
65 * Returns: 1 if successful, or 0 otherwise.
67 static int bits2octets(unsigned char *out
, const BIGNUM
*q
, int qlen_bits
,
68 int rlen
, const unsigned char *in
, size_t inlen
)
74 || !bits2int(z
, qlen_bits
, in
, inlen
))
77 /* z2 = z1 mod q (Do a simple subtract, since z1 < 2^qlen_bits) */
82 ret
= int2octets(out
, z
, rlen
);
89 * Setup a KDF HMAC_DRBG object using fixed entropy and nonce data.
92 * digestname The digest name for the HMAC
93 * entropy, entropylen A fixed input entropy buffer
94 * nonce, noncelen A fixed input nonce buffer
95 * libctx, propq Are used for fetching algorithms
97 * Returns: The created KDF HMAC_DRBG object if successful, or NULL otherwise.
99 static EVP_KDF_CTX
*kdf_setup(const char *digestname
,
100 const unsigned char *entropy
, size_t entropylen
,
101 const unsigned char *nonce
, size_t noncelen
,
102 OSSL_LIB_CTX
*libctx
, const char *propq
)
104 EVP_KDF_CTX
*ctx
= NULL
;
106 OSSL_PARAM params
[5], *p
;
108 kdf
= EVP_KDF_fetch(libctx
, "HMAC-DRBG-KDF", propq
);
109 ctx
= EVP_KDF_CTX_new(kdf
);
115 *p
++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST
,
116 (char *)digestname
, 0);
118 *p
++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_PROPERTIES
,
120 *p
++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_HMACDRBG_ENTROPY
,
121 (void *)entropy
, entropylen
);
122 *p
++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_HMACDRBG_NONCE
,
123 (void *)nonce
, noncelen
);
124 *p
= OSSL_PARAM_construct_end();
126 if (EVP_KDF_CTX_set_params(ctx
, params
) <= 0)
131 EVP_KDF_CTX_free(ctx
);
136 * Generate a Deterministic nonce 'k' for DSA/ECDSA as defined in
137 * RFC 6979 Section 3.3. "Alternate Description of the Generation of k"
140 * out Returns the generated deterministic nonce 'k'
141 * q A large prime number used for modulus operations for DSA and ECDSA.
142 * priv The private key in the range [1, q-1]
143 * hm, hmlen The digested message buffer in bytes
144 * digestname The digest name used for signing. It is used as the HMAC digest.
145 * libctx, propq Used for fetching algorithms
147 * Returns: 1 if successful, or 0 otherwise.
149 int ossl_gen_deterministic_nonce_rfc6979(BIGNUM
*out
, const BIGNUM
*q
,
151 const unsigned char *hm
, size_t hmlen
,
152 const char *digestname
,
153 OSSL_LIB_CTX
*libctx
,
156 EVP_KDF_CTX
*kdfctx
= NULL
;
157 int ret
= 0, rlen
= 0, qlen_bits
= 0;
158 unsigned char *entropyx
= NULL
, *nonceh
= NULL
, *T
= NULL
;
164 qlen_bits
= BN_num_bits(q
);
168 /* Note rlen used here is in bytes since the input values are byte arrays */
169 rlen
= (qlen_bits
+ 7) / 8;
172 /* Use a single alloc for the buffers T, nonceh and entropyx */
173 T
= (unsigned char *)OPENSSL_zalloc(allocsz
);
177 entropyx
= nonceh
+ rlen
;
179 if (!int2octets(entropyx
, priv
, rlen
)
180 || !bits2octets(nonceh
, q
, qlen_bits
, rlen
, hm
, hmlen
))
183 kdfctx
= kdf_setup(digestname
, entropyx
, rlen
, nonceh
, rlen
, libctx
, propq
);
188 if (!EVP_KDF_derive(kdfctx
, T
, rlen
, NULL
)
189 || !bits2int(out
, qlen_bits
, T
, rlen
))
191 } while (BN_is_zero(out
) || BN_is_one(out
) || BN_cmp(out
, q
) >= 0);
195 EVP_KDF_CTX_free(kdfctx
);
196 OPENSSL_clear_free(T
, allocsz
);