2 * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include "internal/thread_once.h"
19 * Called twice by SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process.
21 * hmac is an object that holds the input/output Key and Value (K and V).
22 * inbyte is 0x00 on the first call and 0x01 on the second call.
23 * in1, in2, in3 are optional inputs that can be NULL.
24 * in1len, in2len, in3len are the lengths of the input buffers.
26 * The returned K,V is:
27 * hmac->K = HMAC(hmac->K, hmac->V || inbyte || [in1] || [in2] || [in3])
28 * hmac->V = HMAC(hmac->K, hmac->V)
30 * Returns zero if an error occurs otherwise it returns 1.
32 static int do_hmac(RAND_DRBG_HMAC *hmac, unsigned char inbyte,
33 const unsigned char *in1, size_t in1len,
34 const unsigned char *in2, size_t in2len,
35 const unsigned char *in3, size_t in3len)
37 HMAC_CTX *ctx = hmac->ctx;
39 return HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
40 /* K = HMAC(K, V || inbyte || [in1] || [in2] || [in3]) */
41 && HMAC_Update(ctx, hmac->V, hmac->blocklen)
42 && HMAC_Update(ctx, &inbyte, 1)
43 && (in1 == NULL || in1len == 0 || HMAC_Update(ctx, in1, in1len))
44 && (in2 == NULL || in2len == 0 || HMAC_Update(ctx, in2, in2len))
45 && (in3 == NULL || in3len == 0 || HMAC_Update(ctx, in3, in3len))
46 && HMAC_Final(ctx, hmac->K, NULL)
48 && HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
49 && HMAC_Update(ctx, hmac->V, hmac->blocklen)
50 && HMAC_Final(ctx, hmac->V, NULL);
54 * SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process
57 * Updates the drbg objects Key(K) and Value(V) using the following algorithm:
58 * K,V = do_hmac(hmac, 0, in1, in2, in3)
59 * if (any input is not NULL)
60 * K,V = do_hmac(hmac, 1, in1, in2, in3)
62 * where in1, in2, in3 are optional input buffers that can be NULL.
63 * in1len, in2len, in3len are the lengths of the input buffers.
65 * Returns zero if an error occurs otherwise it returns 1.
67 static int drbg_hmac_update(RAND_DRBG *drbg,
68 const unsigned char *in1, size_t in1len,
69 const unsigned char *in2, size_t in2len,
70 const unsigned char *in3, size_t in3len)
72 RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
74 /* (Steps 1-2) K = HMAC(K, V||0x00||provided_data). V = HMAC(K,V) */
75 if (!do_hmac(hmac, 0x00, in1, in1len, in2, in2len, in3, in3len))
77 /* (Step 3) If provided_data == NULL then return (K,V) */
78 if (in1len == 0 && in2len == 0 && in3len == 0)
80 /* (Steps 4-5) K = HMAC(K, V||0x01||provided_data). V = HMAC(K,V) */
81 return do_hmac(hmac, 0x01, in1, in1len, in2, in2len, in3, in3len);
85 * SP800-90Ar1 10.1.2.3 HMAC_DRBG_Instantiate_Process:
87 * This sets the drbg Key (K) to all zeros, and Value (V) to all 1's.
88 * and then calls (K,V) = drbg_hmac_update() with input parameters:
89 * ent = entropy data (Can be NULL) of length ent_len.
90 * nonce = nonce data (Can be NULL) of length nonce_len.
91 * pstr = personalization data (Can be NULL) of length pstr_len.
93 * Returns zero if an error occurs otherwise it returns 1.
95 static int drbg_hmac_instantiate(RAND_DRBG *drbg,
96 const unsigned char *ent, size_t ent_len,
97 const unsigned char *nonce, size_t nonce_len,
98 const unsigned char *pstr, size_t pstr_len)
100 RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
102 /* (Step 2) Key = 0x00 00...00 */
103 memset(hmac->K, 0x00, hmac->blocklen);
104 /* (Step 3) V = 0x01 01...01 */
105 memset(hmac->V, 0x01, hmac->blocklen);
106 /* (Step 4) (K,V) = HMAC_DRBG_Update(entropy||nonce||pers string, K, V) */
107 return drbg_hmac_update(drbg, ent, ent_len, nonce, nonce_len, pstr,
112 * SP800-90Ar1 10.1.2.4 HMAC_DRBG_Reseed_Process:
114 * Reseeds the drbg's Key (K) and Value (V) by calling
115 * (K,V) = drbg_hmac_update() with the following input parameters:
116 * ent = entropy input data (Can be NULL) of length ent_len.
117 * adin = additional input data (Can be NULL) of length adin_len.
119 * Returns zero if an error occurs otherwise it returns 1.
121 static int drbg_hmac_reseed(RAND_DRBG *drbg,
122 const unsigned char *ent, size_t ent_len,
123 const unsigned char *adin, size_t adin_len)
125 /* (Step 2) (K,V) = HMAC_DRBG_Update(entropy||additional_input, K, V) */
126 return drbg_hmac_update(drbg, ent, ent_len, adin, adin_len, NULL, 0);
130 * SP800-90Ar1 10.1.2.5 HMAC_DRBG_Generate_Process:
132 * Generates pseudo random bytes and updates the internal K,V for the drbg.
133 * out is a buffer to fill with outlen bytes of pseudo random data.
134 * adin is an additional_input string of size adin_len that may be NULL.
136 * Returns zero if an error occurs otherwise it returns 1.
138 static int drbg_hmac_generate(RAND_DRBG *drbg,
139 unsigned char *out, size_t outlen,
140 const unsigned char *adin, size_t adin_len)
142 RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
143 HMAC_CTX *ctx = hmac->ctx;
144 const unsigned char *temp = hmac->V;
146 /* (Step 2) if adin != NULL then (K,V) = HMAC_DRBG_Update(adin, K, V) */
149 && !drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0))
153 * (Steps 3-5) temp = NULL
154 * while (len(temp) < outlen) {
160 if (!HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
161 || !HMAC_Update(ctx, temp, hmac->blocklen))
164 if (outlen > hmac->blocklen) {
165 if (!HMAC_Final(ctx, out, NULL))
169 if (!HMAC_Final(ctx, hmac->V, NULL))
171 memcpy(out, hmac->V, outlen);
174 out += hmac->blocklen;
175 outlen -= hmac->blocklen;
177 /* (Step 6) (K,V) = HMAC_DRBG_Update(adin, K, V) */
178 if (!drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0))
184 static int drbg_hmac_uninstantiate(RAND_DRBG *drbg)
186 HMAC_CTX_free(drbg->data.hmac.ctx);
187 OPENSSL_cleanse(&drbg->data.hmac, sizeof(drbg->data.hmac));
191 static RAND_DRBG_METHOD drbg_hmac_meth = {
192 drbg_hmac_instantiate,
195 drbg_hmac_uninstantiate
198 int drbg_hmac_init(RAND_DRBG *drbg)
200 const EVP_MD *md = NULL;
201 RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
203 /* Any approved digest is allowed - assume we pass digest (not NID_hmac*) */
204 md = EVP_get_digestbynid(drbg->type);
208 drbg->meth = &drbg_hmac_meth;
210 if (hmac->ctx == NULL) {
211 hmac->ctx = HMAC_CTX_new();
212 if (hmac->ctx == NULL)
216 /* These are taken from SP 800-90 10.1 Table 2 */
218 hmac->blocklen = EVP_MD_size(md);
219 /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */
220 drbg->strength = 64 * (int)(hmac->blocklen >> 3);
221 if (drbg->strength > 256)
222 drbg->strength = 256;
223 drbg->seedlen = hmac->blocklen;
225 drbg->min_entropylen = drbg->strength / 8;
226 drbg->max_entropylen = DRBG_MAX_LENGTH;
228 drbg->min_noncelen = drbg->min_entropylen / 2;
229 drbg->max_noncelen = DRBG_MAX_LENGTH;
231 drbg->max_perslen = DRBG_MAX_LENGTH;
232 drbg->max_adinlen = DRBG_MAX_LENGTH;
234 /* Maximum number of bits per request = 2^19 = 2^16 bytes*/
235 drbg->max_request = 1 << 16;