2  * Copyright 2011-2025 The OpenSSL Project Authors. All Rights Reserved.
41  * Called twice by SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process.
49  *   hmac->K = HMAC(hmac->K, hmac->V || inbyte || [in1] || [in2] || [in3])
50  *   hmac->V = HMAC(hmac->K, hmac->V)
59     EVP_MAC_CTX *ctx = hmac->ctx;  in do_hmac()
61     if (!EVP_MAC_init(ctx, hmac->K, hmac->blocklen, NULL)  in do_hmac()
63             || !EVP_MAC_update(ctx, hmac->V, hmac->blocklen)  in do_hmac()
68             || !EVP_MAC_final(ctx, hmac->K, NULL, sizeof(hmac->K)))  in do_hmac()
72     return EVP_MAC_init(ctx, hmac->K, hmac->blocklen, NULL)  in do_hmac()
73            && EVP_MAC_update(ctx, hmac->V, hmac->blocklen)  in do_hmac()
74            && EVP_MAC_final(ctx, hmac->V, NULL, sizeof(hmac->V));  in do_hmac()
78  * SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process
96     /* (Steps 1-2) K = HMAC(K, V||0x00||provided_data). V = HMAC(K,V) */  in drbg_hmac_update()
99     /* (Step 3) If provided_data == NULL then return (K,V) */  in drbg_hmac_update()
102     /* (Steps 4-5) K = HMAC(K, V||0x01||provided_data). V = HMAC(K,V) */  in drbg_hmac_update()
107  * SP800-90Ar1 10.1.2.3 HMAC_DRBG_Instantiate_Process:
122     if (hmac->ctx == NULL) {  in ossl_drbg_hmac_init()
127     /* (Step 2) Key = 0x00 00...00 */  in ossl_drbg_hmac_init()
128     memset(hmac->K, 0x00, hmac->blocklen);  in ossl_drbg_hmac_init()
129     /* (Step 3) V = 0x01 01...01 */  in ossl_drbg_hmac_init()
130     memset(hmac->V, 0x01, hmac->blocklen);  in ossl_drbg_hmac_init()
131     /* (Step 4) (K,V) = HMAC_DRBG_Update(entropy||nonce||pers string, K, V) */  in ossl_drbg_hmac_init()
140     return ossl_drbg_hmac_init((PROV_DRBG_HMAC *)drbg->data, ent, ent_len,  in drbg_hmac_instantiate()
153     if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))  in drbg_hmac_instantiate_wrapper()
162     if (drbg->lock != NULL)  in drbg_hmac_instantiate_wrapper()
163         CRYPTO_THREAD_unlock(drbg->lock);  in drbg_hmac_instantiate_wrapper()
169  * SP800-90Ar1 10.1.2.4 HMAC_DRBG_Reseed_Process:
182     PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data;  in drbg_hmac_reseed()
184     /* (Step 2) (K,V) = HMAC_DRBG_Update(entropy||additional_input, K, V) */  in drbg_hmac_reseed()
199  * SP800-90Ar1 10.1.2.5 HMAC_DRBG_Generate_Process:
211     EVP_MAC_CTX *ctx = hmac->ctx;  in ossl_drbg_hmac_generate()
212     const unsigned char *temp = hmac->V;  in ossl_drbg_hmac_generate()
214     /* (Step 2) if adin != NULL then (K,V) = HMAC_DRBG_Update(adin, K, V) */  in ossl_drbg_hmac_generate()
221      * (Steps 3-5) temp = NULL  in ossl_drbg_hmac_generate()
228         if (!EVP_MAC_init(ctx, hmac->K, hmac->blocklen, NULL)  in ossl_drbg_hmac_generate()
229             || !EVP_MAC_update(ctx, temp, hmac->blocklen))  in ossl_drbg_hmac_generate()
232         if (outlen > hmac->blocklen) {  in ossl_drbg_hmac_generate()
237             if (!EVP_MAC_final(ctx, hmac->V, NULL, sizeof(hmac->V)))  in ossl_drbg_hmac_generate()
239             memcpy(out, hmac->V, outlen);  in ossl_drbg_hmac_generate()
242         out += hmac->blocklen;  in ossl_drbg_hmac_generate()
243         outlen -= hmac->blocklen;  in ossl_drbg_hmac_generate()
245     /* (Step 6) (K,V) = HMAC_DRBG_Update(adin, K, V) */  in ossl_drbg_hmac_generate()
256     return ossl_drbg_hmac_generate((PROV_DRBG_HMAC *)drbg->data, out, outlen,  in drbg_hmac_generate()
272     PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data;  in drbg_hmac_uninstantiate()
274     OPENSSL_cleanse(hmac->K, sizeof(hmac->K));  in drbg_hmac_uninstantiate()
275     OPENSSL_cleanse(hmac->V, sizeof(hmac->V));  in drbg_hmac_uninstantiate()
284     if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))  in drbg_hmac_uninstantiate_wrapper()
289     if (drbg->lock != NULL)  in drbg_hmac_uninstantiate_wrapper()
290         CRYPTO_THREAD_unlock(drbg->lock);  in drbg_hmac_uninstantiate_wrapper()
298     PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data;  in drbg_hmac_verify_zeroization()
301     if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock))  in drbg_hmac_verify_zeroization()
304     PROV_DRBG_VERIFY_ZEROIZATION(hmac->K);  in drbg_hmac_verify_zeroization()
305     PROV_DRBG_VERIFY_ZEROIZATION(hmac->V);  in drbg_hmac_verify_zeroization()
309     if (drbg->lock != NULL)  in drbg_hmac_verify_zeroization()
310         CRYPTO_THREAD_unlock(drbg->lock);  in drbg_hmac_verify_zeroization()
324     drbg->data = hmac;  in drbg_hmac_new()
325     /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */  in drbg_hmac_new()
326     drbg->max_entropylen = DRBG_MAX_LENGTH;  in drbg_hmac_new()
327     drbg->max_noncelen = DRBG_MAX_LENGTH;  in drbg_hmac_new()
328     drbg->max_perslen = DRBG_MAX_LENGTH;  in drbg_hmac_new()
329     drbg->max_adinlen = DRBG_MAX_LENGTH;  in drbg_hmac_new()
332     drbg->max_request = 1 << 16;  in drbg_hmac_new()
350     if (drbg != NULL && (hmac = (PROV_DRBG_HMAC *)drbg->data) != NULL) {  in drbg_hmac_free()
351         EVP_MAC_CTX_free(hmac->ctx);  in drbg_hmac_free()
352         ossl_prov_digest_reset(&hmac->digest);  in drbg_hmac_free()
361     PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data;  in drbg_hmac_get_ctx_params()
373     if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock))  in drbg_hmac_get_ctx_params()
378         if (hmac->ctx == NULL)  in drbg_hmac_get_ctx_params()
380         name = EVP_MAC_get0_name(EVP_MAC_CTX_get0_mac(hmac->ctx));  in drbg_hmac_get_ctx_params()
387         md = ossl_prov_digest_md(&hmac->digest);  in drbg_hmac_get_ctx_params()
394     if (drbg->lock != NULL)  in drbg_hmac_get_ctx_params()
395         CRYPTO_THREAD_unlock(drbg->lock);  in drbg_hmac_get_ctx_params()
430     if (p->data_type != OSSL_PARAM_UTF8_STRING)  in drbg_fetch_algs_from_prov()
432     if ((prov = ossl_provider_find(libctx, (const char *)p->data, 1)) == NULL)  in drbg_fetch_algs_from_prov()
437         if (p->data_type != OSSL_PARAM_UTF8_STRING)  in drbg_fetch_algs_from_prov()
440         md = evp_digest_fetch_from_prov(prov, (const char *)p->data, NULL);  in drbg_fetch_algs_from_prov()
455     if (p->data_type != OSSL_PARAM_UTF8_STRING)  in drbg_fetch_algs_from_prov()
461     mac = evp_mac_fetch_from_prov(prov, (const char *)p->data, NULL);  in drbg_fetch_algs_from_prov()
477     PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)ctx->data;  in drbg_hmac_set_ctx_params_locked()
478     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);  in drbg_hmac_set_ctx_params_locked()
489     if (!drbg_fetch_algs_from_prov(params, libctx, &hmac->ctx, &prov_md)) {  in drbg_hmac_set_ctx_params_locked()
492         if (!ossl_prov_digest_load_from_params(&hmac->digest, params, libctx))  in drbg_hmac_set_ctx_params_locked()
495         if (!ossl_prov_macctx_load_from_params(&hmac->ctx, params,  in drbg_hmac_set_ctx_params_locked()
501             ossl_prov_digest_set_md(&hmac->digest, prov_md);  in drbg_hmac_set_ctx_params_locked()
504     md = ossl_prov_digest_md(&hmac->digest);  in drbg_hmac_set_ctx_params_locked()
508     if (md != NULL && hmac->ctx != NULL) {  in drbg_hmac_set_ctx_params_locked()
509         /* These are taken from SP 800-90 10.1 Table 2 */  in drbg_hmac_set_ctx_params_locked()
513         hmac->blocklen = (size_t)md_size;  in drbg_hmac_set_ctx_params_locked()
514         /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */  in drbg_hmac_set_ctx_params_locked()
515         ctx->strength = 64 * (int)(hmac->blocklen >> 3);  in drbg_hmac_set_ctx_params_locked()
516         if (ctx->strength > 256)  in drbg_hmac_set_ctx_params_locked()
517             ctx->strength = 256;  in drbg_hmac_set_ctx_params_locked()
518         ctx->seedlen = hmac->blocklen;  in drbg_hmac_set_ctx_params_locked()
519         ctx->min_entropylen = ctx->strength / 8;  in drbg_hmac_set_ctx_params_locked()
520         ctx->min_noncelen = ctx->min_entropylen / 2;  in drbg_hmac_set_ctx_params_locked()
531     if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))  in drbg_hmac_set_ctx_params()
536     if (drbg->lock != NULL)  in drbg_hmac_set_ctx_params()
537         CRYPTO_THREAD_unlock(drbg->lock);  in drbg_hmac_set_ctx_params()