/src/openssl/crypto/deterministic_nonce.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <openssl/bn.h> |
11 | | #include <openssl/evp.h> |
12 | | #include <openssl/core_names.h> |
13 | | #include <openssl/kdf.h> |
14 | | #include "internal/deterministic_nonce.h" |
15 | | |
16 | | /* |
17 | | * Convert a Bit String to an Integer (See RFC 6979 Section 2.3.2) |
18 | | * |
19 | | * Params: |
20 | | * out The returned Integer as a BIGNUM |
21 | | * qlen_bits The maximum size of the returned integer in bits. The returned |
22 | | * Integer is shifted right if inlen is larger than qlen_bits.. |
23 | | * in, inlen The input Bit String (in bytes). |
24 | | * Returns: 1 if successful, or 0 otherwise. |
25 | | */ |
26 | | static int bits2int(BIGNUM *out, int qlen_bits, |
27 | | const unsigned char *in, size_t inlen) |
28 | 0 | { |
29 | 0 | int blen_bits = inlen * 8; |
30 | 0 | int shift; |
31 | |
|
32 | 0 | if (BN_bin2bn(in, (int)inlen, out) == NULL) |
33 | 0 | return 0; |
34 | | |
35 | 0 | shift = blen_bits - qlen_bits; |
36 | 0 | if (shift > 0) |
37 | 0 | return BN_rshift(out, out, shift); |
38 | 0 | return 1; |
39 | 0 | } |
40 | | |
41 | | /* |
42 | | * Convert an Integer to an Octet String (See RFC 6979 2.3.3). |
43 | | * The value is zero padded if required. |
44 | | * |
45 | | * Params: |
46 | | * out The returned Octet String |
47 | | * num The input Integer |
48 | | * rlen The required size of the returned Octet String in bytes |
49 | | * Returns: 1 if successful, or 0 otherwis |
50 | | */ |
51 | | static int int2octets(unsigned char *out, const BIGNUM *num, int rlen) |
52 | 0 | { |
53 | 0 | return BN_bn2binpad(num, out, rlen) >= 0; |
54 | 0 | } |
55 | | |
56 | | /* |
57 | | * Convert a Bit String to an Octet String (See RFC 6979 Section 2.3.4) |
58 | | * |
59 | | * Params: |
60 | | * out The returned octet string. |
61 | | * q The modulus |
62 | | * qlen_bits The length of q in bits |
63 | | * rlen The value of qlen_bits rounded up to the nearest 8 bits. |
64 | | * in, inlen The input bit string (in bytes) |
65 | | * Returns: 1 if successful, or 0 otherwise. |
66 | | */ |
67 | | static int bits2octets(unsigned char *out, const BIGNUM *q, int qlen_bits, |
68 | | int rlen, const unsigned char *in, size_t inlen) |
69 | 0 | { |
70 | 0 | int ret = 0; |
71 | 0 | BIGNUM *z = BN_new(); |
72 | |
|
73 | 0 | if (z == NULL |
74 | 0 | || !bits2int(z, qlen_bits, in, inlen)) |
75 | 0 | goto err; |
76 | | |
77 | | /* z2 = z1 mod q (Do a simple subtract, since z1 < 2^qlen_bits) */ |
78 | 0 | if (BN_cmp(z, q) >= 0 |
79 | 0 | && !BN_usub(z, z, q)) |
80 | 0 | goto err; |
81 | | |
82 | 0 | ret = int2octets(out, z, rlen); |
83 | 0 | err: |
84 | 0 | BN_free(z); |
85 | 0 | return ret; |
86 | 0 | } |
87 | | |
88 | | /* |
89 | | * Setup a KDF HMAC_DRBG object using fixed entropy and nonce data. |
90 | | * |
91 | | * Params: |
92 | | * digestname The digest name for the HMAC |
93 | | * entropy, entropylen A fixed input entropy buffer |
94 | | * nonce, noncelen A fixed input nonce buffer |
95 | | * libctx, propq Are used for fetching algorithms |
96 | | * |
97 | | * Returns: The created KDF HMAC_DRBG object if successful, or NULL otherwise. |
98 | | */ |
99 | | static EVP_KDF_CTX *kdf_setup(const char *digestname, |
100 | | const unsigned char *entropy, size_t entropylen, |
101 | | const unsigned char *nonce, size_t noncelen, |
102 | | OSSL_LIB_CTX *libctx, const char *propq) |
103 | 0 | { |
104 | 0 | EVP_KDF_CTX *ctx = NULL; |
105 | 0 | EVP_KDF *kdf = NULL; |
106 | 0 | OSSL_PARAM params[5], *p; |
107 | |
|
108 | 0 | kdf = EVP_KDF_fetch(libctx, "HMAC-DRBG-KDF", propq); |
109 | 0 | ctx = EVP_KDF_CTX_new(kdf); |
110 | 0 | EVP_KDF_free(kdf); |
111 | 0 | if (ctx == NULL) |
112 | 0 | goto err; |
113 | | |
114 | 0 | p = params; |
115 | 0 | *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, |
116 | 0 | (char *)digestname, 0); |
117 | 0 | if (propq != NULL) |
118 | 0 | *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_PROPERTIES, |
119 | 0 | (char *)propq, 0); |
120 | 0 | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_HMACDRBG_ENTROPY, |
121 | 0 | (void *)entropy, entropylen); |
122 | 0 | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_HMACDRBG_NONCE, |
123 | 0 | (void *)nonce, noncelen); |
124 | 0 | *p = OSSL_PARAM_construct_end(); |
125 | |
|
126 | 0 | if (EVP_KDF_CTX_set_params(ctx, params) <= 0) |
127 | 0 | goto err; |
128 | | |
129 | 0 | return ctx; |
130 | 0 | err: |
131 | 0 | EVP_KDF_CTX_free(ctx); |
132 | 0 | return NULL; |
133 | 0 | } |
134 | | |
135 | | /* |
136 | | * Generate a Deterministic nonce 'k' for DSA/ECDSA as defined in |
137 | | * RFC 6979 Section 3.3. "Alternate Description of the Generation of k" |
138 | | * |
139 | | * Params: |
140 | | * out Returns the generated deterministic nonce 'k' |
141 | | * q A large prime number used for modulus operations for DSA and ECDSA. |
142 | | * priv The private key in the range [1, q-1] |
143 | | * hm, hmlen The digested message buffer in bytes |
144 | | * digestname The digest name used for signing. It is used as the HMAC digest. |
145 | | * libctx, propq Used for fetching algorithms |
146 | | * |
147 | | * Returns: 1 if successful, or 0 otherwise. |
148 | | */ |
149 | | int ossl_gen_deterministic_nonce_rfc6979(BIGNUM *out, const BIGNUM *q, |
150 | | const BIGNUM *priv, |
151 | | const unsigned char *hm, size_t hmlen, |
152 | | const char *digestname, |
153 | | OSSL_LIB_CTX *libctx, |
154 | | const char *propq) |
155 | 0 | { |
156 | 0 | EVP_KDF_CTX *kdfctx = NULL; |
157 | 0 | int ret = 0, rlen = 0, qlen_bits = 0; |
158 | 0 | unsigned char *entropyx = NULL, *nonceh = NULL, *T = NULL; |
159 | 0 | size_t allocsz = 0; |
160 | |
|
161 | 0 | if (out == NULL) |
162 | 0 | return 0; |
163 | | |
164 | 0 | qlen_bits = BN_num_bits(q); |
165 | 0 | if (qlen_bits == 0) |
166 | 0 | return 0; |
167 | | |
168 | | /* Note rlen used here is in bytes since the input values are byte arrays */ |
169 | 0 | rlen = (qlen_bits + 7) / 8; |
170 | 0 | allocsz = 3 * rlen; |
171 | | |
172 | | /* Use a single alloc for the buffers T, nonceh and entropyx */ |
173 | 0 | T = (unsigned char *)OPENSSL_zalloc(allocsz); |
174 | 0 | if (T == NULL) |
175 | 0 | return 0; |
176 | 0 | nonceh = T + rlen; |
177 | 0 | entropyx = nonceh + rlen; |
178 | |
|
179 | 0 | if (!int2octets(entropyx, priv, rlen) |
180 | 0 | || !bits2octets(nonceh, q, qlen_bits, rlen, hm, hmlen)) |
181 | 0 | goto end; |
182 | | |
183 | 0 | kdfctx = kdf_setup(digestname, entropyx, rlen, nonceh, rlen, libctx, propq); |
184 | 0 | if (kdfctx == NULL) |
185 | 0 | goto end; |
186 | | |
187 | 0 | do { |
188 | 0 | if (!EVP_KDF_derive(kdfctx, T, rlen, NULL) |
189 | 0 | || !bits2int(out, qlen_bits, T, rlen)) |
190 | 0 | goto end; |
191 | 0 | } while (BN_is_zero(out) || BN_is_one(out) || BN_cmp(out, q) >= 0); |
192 | 0 | ret = 1; |
193 | |
|
194 | 0 | end: |
195 | 0 | EVP_KDF_CTX_free(kdfctx); |
196 | 0 | OPENSSL_clear_free(T, allocsz); |
197 | 0 | return ret; |
198 | 0 | } |