1/* 2 * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <stdlib.h> 11#include <string.h> 12#include <openssl/crypto.h> 13#include <openssl/err.h> 14#include <openssl/rand.h> 15#include <openssl/proverr.h> 16#include "prov/provider_util.h" 17#include "internal/thread_once.h" 18#include "prov/providercommon.h" 19#include "prov/implementations.h" 20#include "prov/provider_ctx.h" 21#include "drbg_local.h" 22 23static OSSL_FUNC_rand_newctx_fn drbg_hmac_new_wrapper; 24static OSSL_FUNC_rand_freectx_fn drbg_hmac_free; 25static OSSL_FUNC_rand_instantiate_fn drbg_hmac_instantiate_wrapper; 26static OSSL_FUNC_rand_uninstantiate_fn drbg_hmac_uninstantiate_wrapper; 27static OSSL_FUNC_rand_generate_fn drbg_hmac_generate_wrapper; 28static OSSL_FUNC_rand_reseed_fn drbg_hmac_reseed_wrapper; 29static OSSL_FUNC_rand_settable_ctx_params_fn drbg_hmac_settable_ctx_params; 30static OSSL_FUNC_rand_set_ctx_params_fn drbg_hmac_set_ctx_params; 31static OSSL_FUNC_rand_gettable_ctx_params_fn drbg_hmac_gettable_ctx_params; 32static OSSL_FUNC_rand_get_ctx_params_fn drbg_hmac_get_ctx_params; 33static OSSL_FUNC_rand_verify_zeroization_fn drbg_hmac_verify_zeroization; 34 35typedef struct rand_drbg_hmac_st { 36 EVP_MAC_CTX *ctx; /* H(x) = HMAC_hash OR H(x) = KMAC */ 37 PROV_DIGEST digest; /* H(x) = hash(x) */ 38 size_t blocklen; 39 unsigned char K[EVP_MAX_MD_SIZE]; 40 unsigned char V[EVP_MAX_MD_SIZE]; 41} PROV_DRBG_HMAC; 42 43/* 44 * Called twice by SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process. 45 * 46 * hmac is an object that holds the input/output Key and Value (K and V). 47 * inbyte is 0x00 on the first call and 0x01 on the second call. 48 * in1, in2, in3 are optional inputs that can be NULL. 49 * in1len, in2len, in3len are the lengths of the input buffers. 50 * 51 * The returned K,V is: 52 * hmac->K = HMAC(hmac->K, hmac->V || inbyte || [in1] || [in2] || [in3]) 53 * hmac->V = HMAC(hmac->K, hmac->V) 54 * 55 * Returns zero if an error occurs otherwise it returns 1. 56 */ 57static int do_hmac(PROV_DRBG_HMAC *hmac, unsigned char inbyte, 58 const unsigned char *in1, size_t in1len, 59 const unsigned char *in2, size_t in2len, 60 const unsigned char *in3, size_t in3len) 61{ 62 EVP_MAC_CTX *ctx = hmac->ctx; 63 64 if (!EVP_MAC_init(ctx, hmac->K, hmac->blocklen, NULL) 65 /* K = HMAC(K, V || inbyte || [in1] || [in2] || [in3]) */ 66 || !EVP_MAC_update(ctx, hmac->V, hmac->blocklen) 67 || !EVP_MAC_update(ctx, &inbyte, 1) 68 || !(in1 == NULL || in1len == 0 || EVP_MAC_update(ctx, in1, in1len)) 69 || !(in2 == NULL || in2len == 0 || EVP_MAC_update(ctx, in2, in2len)) 70 || !(in3 == NULL || in3len == 0 || EVP_MAC_update(ctx, in3, in3len)) 71 || !EVP_MAC_final(ctx, hmac->K, NULL, sizeof(hmac->K))) 72 return 0; 73 74 /* V = HMAC(K, V) */ 75 return EVP_MAC_init(ctx, hmac->K, hmac->blocklen, NULL) 76 && EVP_MAC_update(ctx, hmac->V, hmac->blocklen) 77 && EVP_MAC_final(ctx, hmac->V, NULL, sizeof(hmac->V)); 78} 79 80/* 81 * SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process 82 * 83 * 84 * Updates the drbg objects Key(K) and Value(V) using the following algorithm: 85 * K,V = do_hmac(hmac, 0, in1, in2, in3) 86 * if (any input is not NULL) 87 * K,V = do_hmac(hmac, 1, in1, in2, in3) 88 * 89 * where in1, in2, in3 are optional input buffers that can be NULL. 90 * in1len, in2len, in3len are the lengths of the input buffers. 91 * 92 * Returns zero if an error occurs otherwise it returns 1. 93 */ 94static int drbg_hmac_update(PROV_DRBG *drbg, 95 const unsigned char *in1, size_t in1len, 96 const unsigned char *in2, size_t in2len, 97 const unsigned char *in3, size_t in3len) 98{ 99 PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data; 100 101 /* (Steps 1-2) K = HMAC(K, V||0x00||provided_data). V = HMAC(K,V) */ 102 if (!do_hmac(hmac, 0x00, in1, in1len, in2, in2len, in3, in3len)) 103 return 0; 104 /* (Step 3) If provided_data == NULL then return (K,V) */ 105 if (in1len == 0 && in2len == 0 && in3len == 0) 106 return 1; 107 /* (Steps 4-5) K = HMAC(K, V||0x01||provided_data). V = HMAC(K,V) */ 108 return do_hmac(hmac, 0x01, in1, in1len, in2, in2len, in3, in3len); 109} 110 111/* 112 * SP800-90Ar1 10.1.2.3 HMAC_DRBG_Instantiate_Process: 113 * 114 * This sets the drbg Key (K) to all zeros, and Value (V) to all 1's. 115 * and then calls (K,V) = drbg_hmac_update() with input parameters: 116 * ent = entropy data (Can be NULL) of length ent_len. 117 * nonce = nonce data (Can be NULL) of length nonce_len. 118 * pstr = personalization data (Can be NULL) of length pstr_len. 119 * 120 * Returns zero if an error occurs otherwise it returns 1. 121 */ 122static int drbg_hmac_instantiate(PROV_DRBG *drbg, 123 const unsigned char *ent, size_t ent_len, 124 const unsigned char *nonce, size_t nonce_len, 125 const unsigned char *pstr, size_t pstr_len) 126{ 127 PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data; 128 129 if (hmac->ctx == NULL) { 130 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MAC); 131 return 0; 132 } 133 134 /* (Step 2) Key = 0x00 00...00 */ 135 memset(hmac->K, 0x00, hmac->blocklen); 136 /* (Step 3) V = 0x01 01...01 */ 137 memset(hmac->V, 0x01, hmac->blocklen); 138 /* (Step 4) (K,V) = HMAC_DRBG_Update(entropy||nonce||pers string, K, V) */ 139 return drbg_hmac_update(drbg, ent, ent_len, nonce, nonce_len, pstr, 140 pstr_len); 141} 142 143static int drbg_hmac_instantiate_wrapper(void *vdrbg, unsigned int strength, 144 int prediction_resistance, 145 const unsigned char *pstr, 146 size_t pstr_len, 147 const OSSL_PARAM params[]) 148{ 149 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; 150 151 if (!ossl_prov_is_running() || !drbg_hmac_set_ctx_params(drbg, params)) 152 return 0; 153 return ossl_prov_drbg_instantiate(drbg, strength, prediction_resistance, 154 pstr, pstr_len); 155} 156 157/* 158 * SP800-90Ar1 10.1.2.4 HMAC_DRBG_Reseed_Process: 159 * 160 * Reseeds the drbg's Key (K) and Value (V) by calling 161 * (K,V) = drbg_hmac_update() with the following input parameters: 162 * ent = entropy input data (Can be NULL) of length ent_len. 163 * adin = additional input data (Can be NULL) of length adin_len. 164 * 165 * Returns zero if an error occurs otherwise it returns 1. 166 */ 167static int drbg_hmac_reseed(PROV_DRBG *drbg, 168 const unsigned char *ent, size_t ent_len, 169 const unsigned char *adin, size_t adin_len) 170{ 171 /* (Step 2) (K,V) = HMAC_DRBG_Update(entropy||additional_input, K, V) */ 172 return drbg_hmac_update(drbg, ent, ent_len, adin, adin_len, NULL, 0); 173} 174 175static int drbg_hmac_reseed_wrapper(void *vdrbg, int prediction_resistance, 176 const unsigned char *ent, size_t ent_len, 177 const unsigned char *adin, size_t adin_len) 178{ 179 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; 180 181 return ossl_prov_drbg_reseed(drbg, prediction_resistance, ent, ent_len, 182 adin, adin_len); 183} 184 185/* 186 * SP800-90Ar1 10.1.2.5 HMAC_DRBG_Generate_Process: 187 * 188 * Generates pseudo random bytes and updates the internal K,V for the drbg. 189 * out is a buffer to fill with outlen bytes of pseudo random data. 190 * adin is an additional_input string of size adin_len that may be NULL. 191 * 192 * Returns zero if an error occurs otherwise it returns 1. 193 */ 194static int drbg_hmac_generate(PROV_DRBG *drbg, 195 unsigned char *out, size_t outlen, 196 const unsigned char *adin, size_t adin_len) 197{ 198 PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data; 199 EVP_MAC_CTX *ctx = hmac->ctx; 200 const unsigned char *temp = hmac->V; 201 202 /* (Step 2) if adin != NULL then (K,V) = HMAC_DRBG_Update(adin, K, V) */ 203 if (adin != NULL 204 && adin_len > 0 205 && !drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0)) 206 return 0; 207 208 /* 209 * (Steps 3-5) temp = NULL 210 * while (len(temp) < outlen) { 211 * V = HMAC(K, V) 212 * temp = temp || V 213 * } 214 */ 215 for (;;) { 216 if (!EVP_MAC_init(ctx, hmac->K, hmac->blocklen, NULL) 217 || !EVP_MAC_update(ctx, temp, hmac->blocklen)) 218 return 0; 219 220 if (outlen > hmac->blocklen) { 221 if (!EVP_MAC_final(ctx, out, NULL, outlen)) 222 return 0; 223 temp = out; 224 } else { 225 if (!EVP_MAC_final(ctx, hmac->V, NULL, sizeof(hmac->V))) 226 return 0; 227 memcpy(out, hmac->V, outlen); 228 break; 229 } 230 out += hmac->blocklen; 231 outlen -= hmac->blocklen; 232 } 233 /* (Step 6) (K,V) = HMAC_DRBG_Update(adin, K, V) */ 234 if (!drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0)) 235 return 0; 236 237 return 1; 238} 239 240static int drbg_hmac_generate_wrapper 241 (void *vdrbg, unsigned char *out, size_t outlen, unsigned int strength, 242 int prediction_resistance, const unsigned char *adin, size_t adin_len) 243{ 244 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; 245 246 return ossl_prov_drbg_generate(drbg, out, outlen, strength, 247 prediction_resistance, adin, adin_len); 248} 249 250static int drbg_hmac_uninstantiate(PROV_DRBG *drbg) 251{ 252 PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data; 253 254 OPENSSL_cleanse(hmac->K, sizeof(hmac->K)); 255 OPENSSL_cleanse(hmac->V, sizeof(hmac->V)); 256 return ossl_prov_drbg_uninstantiate(drbg); 257} 258 259static int drbg_hmac_uninstantiate_wrapper(void *vdrbg) 260{ 261 return drbg_hmac_uninstantiate((PROV_DRBG *)vdrbg); 262} 263 264static int drbg_hmac_verify_zeroization(void *vdrbg) 265{ 266 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; 267 PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data; 268 269 PROV_DRBG_VERYIFY_ZEROIZATION(hmac->K); 270 PROV_DRBG_VERYIFY_ZEROIZATION(hmac->V); 271 return 1; 272} 273 274static int drbg_hmac_new(PROV_DRBG *drbg) 275{ 276 PROV_DRBG_HMAC *hmac; 277 278 hmac = OPENSSL_secure_zalloc(sizeof(*hmac)); 279 if (hmac == NULL) { 280 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); 281 return 0; 282 } 283 284 drbg->data = hmac; 285 /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */ 286 drbg->max_entropylen = DRBG_MAX_LENGTH; 287 drbg->max_noncelen = DRBG_MAX_LENGTH; 288 drbg->max_perslen = DRBG_MAX_LENGTH; 289 drbg->max_adinlen = DRBG_MAX_LENGTH; 290 291 /* Maximum number of bits per request = 2^19 = 2^16 bytes */ 292 drbg->max_request = 1 << 16; 293 return 1; 294} 295 296static void *drbg_hmac_new_wrapper(void *provctx, void *parent, 297 const OSSL_DISPATCH *parent_dispatch) 298{ 299 return ossl_rand_drbg_new(provctx, parent, parent_dispatch, &drbg_hmac_new, 300 &drbg_hmac_instantiate, &drbg_hmac_uninstantiate, 301 &drbg_hmac_reseed, &drbg_hmac_generate); 302} 303 304static void drbg_hmac_free(void *vdrbg) 305{ 306 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; 307 PROV_DRBG_HMAC *hmac; 308 309 if (drbg != NULL && (hmac = (PROV_DRBG_HMAC *)drbg->data) != NULL) { 310 EVP_MAC_CTX_free(hmac->ctx); 311 ossl_prov_digest_reset(&hmac->digest); 312 OPENSSL_secure_clear_free(hmac, sizeof(*hmac)); 313 } 314 ossl_rand_drbg_free(drbg); 315} 316 317static int drbg_hmac_get_ctx_params(void *vdrbg, OSSL_PARAM params[]) 318{ 319 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; 320 PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data; 321 const char *name; 322 const EVP_MD *md; 323 OSSL_PARAM *p; 324 325 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAC); 326 if (p != NULL) { 327 if (hmac->ctx == NULL) 328 return 0; 329 name = EVP_MAC_get0_name(EVP_MAC_CTX_get0_mac(hmac->ctx)); 330 if (!OSSL_PARAM_set_utf8_string(p, name)) 331 return 0; 332 } 333 334 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_DIGEST); 335 if (p != NULL) { 336 md = ossl_prov_digest_md(&hmac->digest); 337 if (md == NULL || !OSSL_PARAM_set_utf8_string(p, EVP_MD_get0_name(md))) 338 return 0; 339 } 340 341 return ossl_drbg_get_ctx_params(drbg, params); 342} 343 344static const OSSL_PARAM *drbg_hmac_gettable_ctx_params(ossl_unused void *vctx, 345 ossl_unused void *p_ctx) 346{ 347 static const OSSL_PARAM known_gettable_ctx_params[] = { 348 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_MAC, NULL, 0), 349 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_DIGEST, NULL, 0), 350 OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON, 351 OSSL_PARAM_END 352 }; 353 return known_gettable_ctx_params; 354} 355 356static int drbg_hmac_set_ctx_params(void *vctx, const OSSL_PARAM params[]) 357{ 358 PROV_DRBG *ctx = (PROV_DRBG *)vctx; 359 PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)ctx->data; 360 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 361 const EVP_MD *md; 362 363 if (!ossl_prov_digest_load_from_params(&hmac->digest, params, libctx)) 364 return 0; 365 366 /* 367 * Confirm digest is allowed. We allow all digests that are not XOF 368 * (such as SHAKE). In FIPS mode, the fetch will fail for non-approved 369 * digests. 370 */ 371 md = ossl_prov_digest_md(&hmac->digest); 372 if (md != NULL && (EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) { 373 ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); 374 return 0; 375 } 376 377 if (!ossl_prov_macctx_load_from_params(&hmac->ctx, params, 378 NULL, NULL, NULL, libctx)) 379 return 0; 380 381 if (hmac->ctx != NULL) { 382 /* These are taken from SP 800-90 10.1 Table 2 */ 383 hmac->blocklen = EVP_MD_get_size(md); 384 /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */ 385 ctx->strength = 64 * (int)(hmac->blocklen >> 3); 386 if (ctx->strength > 256) 387 ctx->strength = 256; 388 ctx->seedlen = hmac->blocklen; 389 ctx->min_entropylen = ctx->strength / 8; 390 ctx->min_noncelen = ctx->min_entropylen / 2; 391 } 392 393 return ossl_drbg_set_ctx_params(ctx, params); 394} 395 396static const OSSL_PARAM *drbg_hmac_settable_ctx_params(ossl_unused void *vctx, 397 ossl_unused void *p_ctx) 398{ 399 static const OSSL_PARAM known_settable_ctx_params[] = { 400 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0), 401 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_DIGEST, NULL, 0), 402 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_MAC, NULL, 0), 403 OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON, 404 OSSL_PARAM_END 405 }; 406 return known_settable_ctx_params; 407} 408 409const OSSL_DISPATCH ossl_drbg_ossl_hmac_functions[] = { 410 { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))drbg_hmac_new_wrapper }, 411 { OSSL_FUNC_RAND_FREECTX, (void(*)(void))drbg_hmac_free }, 412 { OSSL_FUNC_RAND_INSTANTIATE, 413 (void(*)(void))drbg_hmac_instantiate_wrapper }, 414 { OSSL_FUNC_RAND_UNINSTANTIATE, 415 (void(*)(void))drbg_hmac_uninstantiate_wrapper }, 416 { OSSL_FUNC_RAND_GENERATE, (void(*)(void))drbg_hmac_generate_wrapper }, 417 { OSSL_FUNC_RAND_RESEED, (void(*)(void))drbg_hmac_reseed_wrapper }, 418 { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))ossl_drbg_enable_locking }, 419 { OSSL_FUNC_RAND_LOCK, (void(*)(void))ossl_drbg_lock }, 420 { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))ossl_drbg_unlock }, 421 { OSSL_FUNC_RAND_SETTABLE_CTX_PARAMS, 422 (void(*)(void))drbg_hmac_settable_ctx_params }, 423 { OSSL_FUNC_RAND_SET_CTX_PARAMS, (void(*)(void))drbg_hmac_set_ctx_params }, 424 { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS, 425 (void(*)(void))drbg_hmac_gettable_ctx_params }, 426 { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))drbg_hmac_get_ctx_params }, 427 { OSSL_FUNC_RAND_VERIFY_ZEROIZATION, 428 (void(*)(void))drbg_hmac_verify_zeroization }, 429 { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))ossl_drbg_get_seed }, 430 { OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))ossl_drbg_clear_seed }, 431 { 0, NULL } 432}; 433