2  * Copyright 2011-2025 The OpenSSL Project Authors. All Rights Reserved.
43 /* 888 bits from SP800-90Ar1 10.1 table 2 */
46 /* 440 bits from SP800-90Ar1 10.1 table 2 */
64  * SP800-90Ar1 10.3.1 Derivation function using a Hash Function (Hash_df).
66  *    inbyte - An optional leading byte (ignore if equal to INBYTE_IGNORE)
67  *    in - input string 1 (A Non NULL value).
68  *    in2 - optional input string (Can be NULL).
69  *    in3 - optional input string (Can be NULL).
78     PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;  in hash_df()
79     EVP_MD_CTX *ctx = hash->ctx;  in hash_df()
80     unsigned char *vtmp = hash->vtmp;  in hash_df()
84     size_t outlen = drbg->seedlen;  in hash_df()
91     /* (Step 3) counter = 1 (tmp[0] is the 8 bit counter) */  in hash_df()
102     /* (Step 4) */  in hash_df()
105          * (Step 4.1) out = out || Hash(tmp || in || [in2] || [in3])  in hash_df()
108         if (!(EVP_DigestInit_ex(ctx, ossl_prov_digest_md(&hash->digest), NULL)  in hash_df()
115         if (outlen < hash->blocklen) {  in hash_df()
119             OPENSSL_cleanse(vtmp, hash->blocklen);  in hash_df()
125         outlen -= hash->blocklen;  in hash_df()
128         /* (Step 4.2) counter++ */  in hash_df()
130         out += hash->blocklen;  in hash_df()
147  * where dst size is drbg->seedlen, and inlen <= drbg->seedlen.
157     assert(drbg->seedlen >= 1 && inlen >= 1 && inlen <= drbg->seedlen);  in add_bytes()
159     d = &dst[drbg->seedlen - 1];  in add_bytes()
160     add = &in[inlen - 1];  in add_bytes()
162     for (i = inlen; i > 0; i--, d--, add--) {  in add_bytes()
170         for (i = drbg->seedlen - inlen; i > 0; --i, d--) {  in add_bytes()
183     PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;  in add_hash_to_v()
184     EVP_MD_CTX *ctx = hash->ctx;  in add_hash_to_v()
186     return EVP_DigestInit_ex(ctx, ossl_prov_digest_md(&hash->digest), NULL)  in add_hash_to_v()
188            && EVP_DigestUpdate(ctx, hash->V, drbg->seedlen)  in add_hash_to_v()
190            && EVP_DigestFinal(ctx, hash->vtmp, NULL)  in add_hash_to_v()
191            && add_bytes(drbg, hash->V, hash->vtmp, hash->blocklen);  in add_hash_to_v()
195  * The Hashgen() as listed in SP800-90Ar1 10.1.1.4 Hash_DRBG_Generate_Process.
214     PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;  in hash_gen()
219     memcpy(hash->vtmp, hash->V, drbg->seedlen);  in hash_gen()
221         if (!EVP_DigestInit_ex(hash->ctx, ossl_prov_digest_md(&hash->digest),  in hash_gen()
223                 || !EVP_DigestUpdate(hash->ctx, hash->vtmp, drbg->seedlen))  in hash_gen()
226         if (outlen < hash->blocklen) {  in hash_gen()
227             if (!EVP_DigestFinal(hash->ctx, hash->vtmp, NULL))  in hash_gen()
229             memcpy(out, hash->vtmp, outlen);  in hash_gen()
232             if (!EVP_DigestFinal(hash->ctx, out, NULL))  in hash_gen()
234             outlen -= hash->blocklen;  in hash_gen()
237             out += hash->blocklen;  in hash_gen()
239         add_bytes(drbg, hash->vtmp, &one, 1);  in hash_gen()
245  * SP800-90Ar1 10.1.1.2 Hash_DRBG_Instantiate_Process:
258     PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;  in drbg_hash_instantiate()
260     EVP_MD_CTX_free(hash->ctx);  in drbg_hash_instantiate()
261     hash->ctx = EVP_MD_CTX_new();  in drbg_hash_instantiate()
263     /* (Step 1-3) V = Hash_df(entropy||nonce||pers, seedlen) */  in drbg_hash_instantiate()
264     return hash->ctx != NULL  in drbg_hash_instantiate()
265            && hash_df(drbg, hash->V, INBYTE_IGNORE,  in drbg_hash_instantiate()
267            /* (Step 4) C = Hash_df(0x00||V, seedlen) */  in drbg_hash_instantiate()
268            && hash_df1(drbg, hash->C, 0x00, hash->V, drbg->seedlen);  in drbg_hash_instantiate()
280     if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))  in drbg_hash_instantiate_wrapper()
289     if (drbg->lock != NULL)  in drbg_hash_instantiate_wrapper()
290         CRYPTO_THREAD_unlock(drbg->lock);  in drbg_hash_instantiate_wrapper()
295  * SP800-90Ar1 10.1.1.3 Hash_DRBG_Reseed_Process:
306     PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;  in drbg_hash_reseed()
308     /* (Step 1-2) V = Hash_df(0x01 || V || entropy_input || additional_input) */  in drbg_hash_reseed()
310     if (!hash_df(drbg, hash->C, 0x01, hash->V, drbg->seedlen, ent, ent_len,  in drbg_hash_reseed()
313     memcpy(hash->V, hash->C, drbg->seedlen);  in drbg_hash_reseed()
314     /* (Step 4) C = Hash_df(0x00||V, seedlen) */  in drbg_hash_reseed()
315     return hash_df1(drbg, hash->C, 0x00, hash->V, drbg->seedlen);  in drbg_hash_reseed()
329  * SP800-90Ar1 10.1.1.4 Hash_DRBG_Generate_Process:
341     PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;  in drbg_hash_generate()
343     int reseed_counter = drbg->generate_counter;  in drbg_hash_generate()
350     return hash->ctx != NULL  in drbg_hash_generate()
352            /* (Step 2) if adin != NULL then V = V + Hash(0x02||V||adin) */  in drbg_hash_generate()
355            /* (Step 3) Hashgen(outlen, V) */  in drbg_hash_generate()
357            /* (Step 4/5) H = V = (V + Hash(0x03||V) mod (2^seedlen_bits) */  in drbg_hash_generate()
359            /* (Step 5) V = (V + H + C + reseed_counter) mod (2^seedlen_bits) */  in drbg_hash_generate()
361            && add_bytes(drbg, hash->V, hash->C, drbg->seedlen)  in drbg_hash_generate()
363            && add_bytes(drbg, hash->V, counter, 4);  in drbg_hash_generate()
378     PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;  in drbg_hash_uninstantiate()
380     OPENSSL_cleanse(hash->V, sizeof(hash->V));  in drbg_hash_uninstantiate()
381     OPENSSL_cleanse(hash->C, sizeof(hash->C));  in drbg_hash_uninstantiate()
382     OPENSSL_cleanse(hash->vtmp, sizeof(hash->vtmp));  in drbg_hash_uninstantiate()
391     if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))  in drbg_hash_uninstantiate_wrapper()
396     if (drbg->lock != NULL)  in drbg_hash_uninstantiate_wrapper()
397         CRYPTO_THREAD_unlock(drbg->lock);  in drbg_hash_uninstantiate_wrapper()
405     PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;  in drbg_hash_verify_zeroization()
408     if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock))  in drbg_hash_verify_zeroization()
411     PROV_DRBG_VERIFY_ZEROIZATION(hash->V);  in drbg_hash_verify_zeroization()
412     PROV_DRBG_VERIFY_ZEROIZATION(hash->C);  in drbg_hash_verify_zeroization()
413     PROV_DRBG_VERIFY_ZEROIZATION(hash->vtmp);  in drbg_hash_verify_zeroization()
417     if (drbg->lock != NULL)  in drbg_hash_verify_zeroization()
418         CRYPTO_THREAD_unlock(drbg->lock);  in drbg_hash_verify_zeroization()
432     ctx->data = hash;  in drbg_hash_new()
433     ctx->seedlen = HASH_PRNG_MAX_SEEDLEN;  in drbg_hash_new()
434     ctx->max_entropylen = DRBG_MAX_LENGTH;  in drbg_hash_new()
435     ctx->max_noncelen = DRBG_MAX_LENGTH;  in drbg_hash_new()
436     ctx->max_perslen = DRBG_MAX_LENGTH;  in drbg_hash_new()
437     ctx->max_adinlen = DRBG_MAX_LENGTH;  in drbg_hash_new()
440     ctx->max_request = 1 << 16;  in drbg_hash_new()
458     if (drbg != NULL && (hash = (PROV_DRBG_HASH *)drbg->data) != NULL) {  in drbg_hash_free()
459         EVP_MD_CTX_free(hash->ctx);  in drbg_hash_free()
460         ossl_prov_digest_reset(&hash->digest);  in drbg_hash_free()
469     PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;  in drbg_hash_get_ctx_params()
480     if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock))  in drbg_hash_get_ctx_params()
485         md = ossl_prov_digest_md(&hash->digest);  in drbg_hash_get_ctx_params()
492     if (drbg->lock != NULL)  in drbg_hash_get_ctx_params()
493         CRYPTO_THREAD_unlock(drbg->lock);  in drbg_hash_get_ctx_params()
525     if (p->data_type != OSSL_PARAM_UTF8_STRING)  in drbg_fetch_digest_from_prov()
527     if ((prov = ossl_provider_find(libctx, (const char *)p->data, 1)) == NULL)  in drbg_fetch_digest_from_prov()
536     if (p->data_type != OSSL_PARAM_UTF8_STRING)  in drbg_fetch_digest_from_prov()
539     md = evp_digest_fetch_from_prov(prov, (const char *)p->data, NULL);  in drbg_fetch_digest_from_prov()
554     PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)ctx->data;  in drbg_hash_set_ctx_params_locked()
555     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);  in drbg_hash_set_ctx_params_locked()
569         if (!ossl_prov_digest_load_from_params(&hash->digest, params, libctx))  in drbg_hash_set_ctx_params_locked()
574             ossl_prov_digest_set_md(&hash->digest, prov_md);  in drbg_hash_set_ctx_params_locked()
577     md = ossl_prov_digest_md(&hash->digest);  in drbg_hash_set_ctx_params_locked()
582         /* These are taken from SP 800-90 10.1 Table 2 */  in drbg_hash_set_ctx_params_locked()
586         hash->blocklen = md_size;  in drbg_hash_set_ctx_params_locked()
587         /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */  in drbg_hash_set_ctx_params_locked()
588         ctx->strength = 64 * (hash->blocklen >> 3);  in drbg_hash_set_ctx_params_locked()
589         if (ctx->strength > 256)  in drbg_hash_set_ctx_params_locked()
590             ctx->strength = 256;  in drbg_hash_set_ctx_params_locked()
591         if (hash->blocklen > MAX_BLOCKLEN_USING_SMALL_SEEDLEN)  in drbg_hash_set_ctx_params_locked()
592             ctx->seedlen = HASH_PRNG_MAX_SEEDLEN;  in drbg_hash_set_ctx_params_locked()
594             ctx->seedlen = HASH_PRNG_SMALL_SEEDLEN;  in drbg_hash_set_ctx_params_locked()
596         ctx->min_entropylen = ctx->strength / 8;  in drbg_hash_set_ctx_params_locked()
597         ctx->min_noncelen = ctx->min_entropylen / 2;  in drbg_hash_set_ctx_params_locked()
608     if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))  in drbg_hash_set_ctx_params()
613     if (drbg->lock != NULL)  in drbg_hash_set_ctx_params()
614         CRYPTO_THREAD_unlock(drbg->lock);  in drbg_hash_set_ctx_params()