/src/openssl/crypto/deterministic_nonce.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <string.h> |
11 | | #include <openssl/bn.h> |
12 | | #include <openssl/evp.h> |
13 | | #include <openssl/core_names.h> |
14 | | #include <openssl/kdf.h> |
15 | | #include "internal/deterministic_nonce.h" |
16 | | #include "crypto/bn.h" |
17 | | |
18 | | /* |
19 | | * Convert a Bit String to an Integer (See RFC 6979 Section 2.3.2) |
20 | | * |
21 | | * Params: |
22 | | * out The returned Integer as a BIGNUM |
23 | | * qlen_bits The maximum size of the returned integer in bits. The returned |
24 | | * Integer is shifted right if inlen is larger than qlen_bits.. |
25 | | * in, inlen The input Bit String (in bytes). |
26 | | * Returns: 1 if successful, or 0 otherwise. |
27 | | */ |
28 | | static int bits2int(BIGNUM *out, int qlen_bits, |
29 | | const unsigned char *in, size_t inlen) |
30 | 0 | { |
31 | 0 | int blen_bits = inlen * 8; |
32 | 0 | int shift; |
33 | |
|
34 | 0 | if (BN_bin2bn(in, (int)inlen, out) == NULL) |
35 | 0 | return 0; |
36 | | |
37 | 0 | shift = blen_bits - qlen_bits; |
38 | 0 | if (shift > 0) |
39 | 0 | return BN_rshift(out, out, shift); |
40 | 0 | return 1; |
41 | 0 | } |
42 | | |
43 | | /* |
44 | | * Convert as above a Bit String in const time to an Integer w fixed top |
45 | | * |
46 | | * Params: |
47 | | * out The returned Integer as a BIGNUM |
48 | | * qlen_bits The maximum size of the returned integer in bits. The returned |
49 | | * Integer is shifted right if inlen is larger than qlen_bits.. |
50 | | * in, inlen The input Bit String (in bytes). It has sizeof(BN_ULONG) bytes |
51 | | * prefix with all bits set that needs to be cleared out after |
52 | | * the conversion. |
53 | | * Returns: 1 if successful, or 0 otherwise. |
54 | | */ |
55 | | static int bits2int_consttime(BIGNUM *out, int qlen_bits, |
56 | | const unsigned char *in, size_t inlen) |
57 | 0 | { |
58 | 0 | int blen_bits = (inlen - sizeof(BN_ULONG)) * 8; |
59 | 0 | int shift; |
60 | |
|
61 | 0 | if (BN_bin2bn(in, (int)inlen, out) == NULL) |
62 | 0 | return 0; |
63 | | |
64 | 0 | BN_set_flags(out, BN_FLG_CONSTTIME); |
65 | 0 | ossl_bn_mask_bits_fixed_top(out, blen_bits); |
66 | |
|
67 | 0 | shift = blen_bits - qlen_bits; |
68 | 0 | if (shift > 0) |
69 | 0 | return bn_rshift_fixed_top(out, out, shift); |
70 | 0 | return 1; |
71 | 0 | } |
72 | | |
73 | | /* |
74 | | * Convert an Integer to an Octet String (See RFC 6979 2.3.3). |
75 | | * The value is zero padded if required. |
76 | | * |
77 | | * Params: |
78 | | * out The returned Octet String |
79 | | * num The input Integer |
80 | | * rlen The required size of the returned Octet String in bytes |
81 | | * Returns: 1 if successful, or 0 otherwise. |
82 | | */ |
83 | | static int int2octets(unsigned char *out, const BIGNUM *num, int rlen) |
84 | 0 | { |
85 | 0 | return BN_bn2binpad(num, out, rlen) >= 0; |
86 | 0 | } |
87 | | |
88 | | /* |
89 | | * Convert a Bit String to an Octet String (See RFC 6979 Section 2.3.4) |
90 | | * |
91 | | * Params: |
92 | | * out The returned octet string. |
93 | | * q The modulus |
94 | | * qlen_bits The length of q in bits |
95 | | * rlen The value of qlen_bits rounded up to the nearest 8 bits. |
96 | | * in, inlen The input bit string (in bytes) |
97 | | * Returns: 1 if successful, or 0 otherwise. |
98 | | */ |
99 | | static int bits2octets(unsigned char *out, const BIGNUM *q, int qlen_bits, |
100 | | int rlen, const unsigned char *in, size_t inlen) |
101 | 0 | { |
102 | 0 | int ret = 0; |
103 | 0 | BIGNUM *z = BN_new(); |
104 | |
|
105 | 0 | if (z == NULL |
106 | 0 | || !bits2int(z, qlen_bits, in, inlen)) |
107 | 0 | goto err; |
108 | | |
109 | | /* z2 = z1 mod q (Do a simple subtract, since z1 < 2^qlen_bits) */ |
110 | 0 | if (BN_cmp(z, q) >= 0 |
111 | 0 | && !BN_usub(z, z, q)) |
112 | 0 | goto err; |
113 | | |
114 | 0 | ret = int2octets(out, z, rlen); |
115 | 0 | err: |
116 | 0 | BN_free(z); |
117 | 0 | return ret; |
118 | 0 | } |
119 | | |
120 | | /* |
121 | | * Setup a KDF HMAC_DRBG object using fixed entropy and nonce data. |
122 | | * |
123 | | * Params: |
124 | | * digestname The digest name for the HMAC |
125 | | * entropy, entropylen A fixed input entropy buffer |
126 | | * nonce, noncelen A fixed input nonce buffer |
127 | | * libctx, propq Are used for fetching algorithms |
128 | | * |
129 | | * Returns: The created KDF HMAC_DRBG object if successful, or NULL otherwise. |
130 | | */ |
131 | | static EVP_KDF_CTX *kdf_setup(const char *digestname, |
132 | | const unsigned char *entropy, size_t entropylen, |
133 | | const unsigned char *nonce, size_t noncelen, |
134 | | OSSL_LIB_CTX *libctx, const char *propq) |
135 | 0 | { |
136 | 0 | EVP_KDF_CTX *ctx = NULL; |
137 | 0 | EVP_KDF *kdf = NULL; |
138 | 0 | OSSL_PARAM params[5], *p; |
139 | |
|
140 | 0 | kdf = EVP_KDF_fetch(libctx, "HMAC-DRBG-KDF", propq); |
141 | 0 | ctx = EVP_KDF_CTX_new(kdf); |
142 | 0 | EVP_KDF_free(kdf); |
143 | 0 | if (ctx == NULL) |
144 | 0 | goto err; |
145 | | |
146 | 0 | p = params; |
147 | 0 | *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, |
148 | 0 | (char *)digestname, 0); |
149 | 0 | if (propq != NULL) |
150 | 0 | *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_PROPERTIES, |
151 | 0 | (char *)propq, 0); |
152 | 0 | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_HMACDRBG_ENTROPY, |
153 | 0 | (void *)entropy, entropylen); |
154 | 0 | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_HMACDRBG_NONCE, |
155 | 0 | (void *)nonce, noncelen); |
156 | 0 | *p = OSSL_PARAM_construct_end(); |
157 | |
|
158 | 0 | if (EVP_KDF_CTX_set_params(ctx, params) <= 0) |
159 | 0 | goto err; |
160 | | |
161 | 0 | return ctx; |
162 | 0 | err: |
163 | 0 | EVP_KDF_CTX_free(ctx); |
164 | 0 | return NULL; |
165 | 0 | } |
166 | | |
167 | | /* |
168 | | * Generate a Deterministic nonce 'k' for DSA/ECDSA as defined in |
169 | | * RFC 6979 Section 3.3. "Alternate Description of the Generation of k" |
170 | | * |
171 | | * Params: |
172 | | * out Returns the generated deterministic nonce 'k' |
173 | | * q A large prime number used for modulus operations for DSA and ECDSA. |
174 | | * priv The private key in the range [1, q-1] |
175 | | * hm, hmlen The digested message buffer in bytes |
176 | | * digestname The digest name used for signing. It is used as the HMAC digest. |
177 | | * libctx, propq Used for fetching algorithms |
178 | | * |
179 | | * Returns: 1 if successful, or 0 otherwise. |
180 | | */ |
181 | | int ossl_gen_deterministic_nonce_rfc6979(BIGNUM *out, const BIGNUM *q, |
182 | | const BIGNUM *priv, |
183 | | const unsigned char *hm, size_t hmlen, |
184 | | const char *digestname, |
185 | | OSSL_LIB_CTX *libctx, |
186 | | const char *propq) |
187 | 0 | { |
188 | 0 | EVP_KDF_CTX *kdfctx = NULL; |
189 | 0 | int ret = 0, rlen = 0, qlen_bits = 0; |
190 | 0 | unsigned char *entropyx = NULL, *nonceh = NULL, *rbits = NULL, *T = NULL; |
191 | 0 | size_t allocsz = 0; |
192 | 0 | const size_t prefsz = sizeof(BN_ULONG); |
193 | |
|
194 | 0 | if (out == NULL) |
195 | 0 | return 0; |
196 | | |
197 | 0 | qlen_bits = BN_num_bits(q); |
198 | 0 | if (qlen_bits == 0) |
199 | 0 | return 0; |
200 | | |
201 | | /* Note rlen used here is in bytes since the input values are byte arrays */ |
202 | 0 | rlen = (qlen_bits + 7) / 8; |
203 | 0 | allocsz = prefsz + 3 * rlen; |
204 | | |
205 | | /* Use a single alloc for the buffers T, nonceh and entropyx */ |
206 | 0 | T = (unsigned char *)OPENSSL_zalloc(allocsz); |
207 | 0 | if (T == NULL) |
208 | 0 | return 0; |
209 | 0 | rbits = T + prefsz; |
210 | 0 | nonceh = rbits + rlen; |
211 | 0 | entropyx = nonceh + rlen; |
212 | |
|
213 | 0 | memset(T, 0xff, prefsz); |
214 | |
|
215 | 0 | if (!int2octets(entropyx, priv, rlen) |
216 | 0 | || !bits2octets(nonceh, q, qlen_bits, rlen, hm, hmlen)) |
217 | 0 | goto end; |
218 | | |
219 | 0 | kdfctx = kdf_setup(digestname, entropyx, rlen, nonceh, rlen, libctx, propq); |
220 | 0 | if (kdfctx == NULL) |
221 | 0 | goto end; |
222 | | |
223 | 0 | do { |
224 | 0 | if (!EVP_KDF_derive(kdfctx, rbits, rlen, NULL) |
225 | 0 | || !bits2int_consttime(out, qlen_bits, T, rlen + prefsz)) |
226 | 0 | goto end; |
227 | 0 | } while (ossl_bn_is_word_fixed_top(out, 0) |
228 | 0 | || ossl_bn_is_word_fixed_top(out, 1) |
229 | 0 | || BN_ucmp(out, q) >= 0); |
230 | | #ifdef BN_DEBUG |
231 | | /* With BN_DEBUG on a fixed top number cannot be returned */ |
232 | | bn_correct_top(out); |
233 | | #endif |
234 | 0 | ret = 1; |
235 | |
|
236 | 0 | end: |
237 | 0 | EVP_KDF_CTX_free(kdfctx); |
238 | 0 | OPENSSL_clear_free(T, allocsz); |
239 | 0 | return ret; |
240 | 0 | } |