1 /* hmac_prng.c - TinyCrypt implementation of HMAC-PRNG */
2 
3 /*
4  *  Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
5  *
6  *  Redistribution and use in source and binary forms, with or without
7  *  modification, are permitted provided that the following conditions are met:
8  *
9  *    - Redistributions of source code must retain the above copyright notice,
10  *     this list of conditions and the following disclaimer.
11  *
12  *    - Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  *    - Neither the name of Intel Corporation nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21  *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24  *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25  *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26  *  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27  *  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28  *  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30  *  POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include <tinycrypt/hmac_prng.h>
34 #include <tinycrypt/hmac.h>
35 #include <tinycrypt/constants.h>
36 #include <tinycrypt/utils.h>
37 
38 /*
39  * min bytes in the seed string.
40  * MIN_SLEN*8 must be at least the expected security level.
41  */
42 static const unsigned int MIN_SLEN = 32;
43 
44 /*
45  * max bytes in the seed string;
46  * SP800-90A specifies a maximum of 2^35 bits (i.e., 2^32 bytes).
47  */
48 static const unsigned int MAX_SLEN = UINT32_MAX;
49 
50 /*
51  * max bytes in the personalization string;
52  * SP800-90A specifies a maximum of 2^35 bits (i.e., 2^32 bytes).
53  */
54 static const unsigned int MAX_PLEN = UINT32_MAX;
55 
56 /*
57  * max bytes in the additional_info string;
58  * SP800-90A specifies a maximum of 2^35 bits (i.e., 2^32 bytes).
59  */
60 static const unsigned int MAX_ALEN = UINT32_MAX;
61 
62 /*
63  * max number of generates between re-seeds;
64  * TinyCrypt accepts up to (2^32 - 1) which is the maximal value of
65  * a 32-bit unsigned int variable, while SP800-90A specifies a maximum of 2^48.
66  */
67 static const unsigned int MAX_GENS = UINT32_MAX;
68 
69 /*
70  * maximum bytes per generate call;
71  * SP800-90A specifies a maximum up to 2^19.
72  */
73 static const unsigned int  MAX_OUT = (1 << 19);
74 
75 /*
76  * Assumes: prng != NULL
77  */
update(TCHmacPrng_t prng,const uint8_t * data,unsigned int datalen,const uint8_t * additional_data,unsigned int additional_datalen)78 static void update(TCHmacPrng_t prng, const uint8_t *data, unsigned int datalen, const uint8_t *additional_data, unsigned int additional_datalen)
79 {
80     const uint8_t separator0 = 0x00;
81     const uint8_t separator1 = 0x01;
82 
83     /* configure the new prng key into the prng's instance of hmac */
84     tc_hmac_set_key(&prng->h, prng->key, sizeof(prng->key));
85 
86     /* use current state, e and separator 0 to compute a new prng key: */
87     (void)tc_hmac_init(&prng->h);
88     (void)tc_hmac_update(&prng->h, prng->v, sizeof(prng->v));
89     (void)tc_hmac_update(&prng->h, &separator0, sizeof(separator0));
90 
91     if (data && datalen) {
92         (void)tc_hmac_update(&prng->h, data, datalen);
93     }
94     if (additional_data && additional_datalen) {
95         (void)tc_hmac_update(&prng->h, additional_data, additional_datalen);
96     }
97 
98     (void)tc_hmac_final(prng->key, sizeof(prng->key), &prng->h);
99 
100     /* configure the new prng key into the prng's instance of hmac */
101     (void)tc_hmac_set_key(&prng->h, prng->key, sizeof(prng->key));
102 
103     /* use the new key to compute a new state variable v */
104     (void)tc_hmac_init(&prng->h);
105     (void)tc_hmac_update(&prng->h, prng->v, sizeof(prng->v));
106     (void)tc_hmac_final(prng->v, sizeof(prng->v), &prng->h);
107 
108     if (data == 0 || datalen == 0) {
109         return;
110     }
111 
112     /* configure the new prng key into the prng's instance of hmac */
113     tc_hmac_set_key(&prng->h, prng->key, sizeof(prng->key));
114 
115     /* use current state, e and separator 1 to compute a new prng key: */
116     (void)tc_hmac_init(&prng->h);
117     (void)tc_hmac_update(&prng->h, prng->v, sizeof(prng->v));
118     (void)tc_hmac_update(&prng->h, &separator1, sizeof(separator1));
119     (void)tc_hmac_update(&prng->h, data, datalen);
120     if (additional_data && additional_datalen) {
121         (void)tc_hmac_update(&prng->h, additional_data, additional_datalen);
122     }
123     (void)tc_hmac_final(prng->key, sizeof(prng->key), &prng->h);
124 
125     /* configure the new prng key into the prng's instance of hmac */
126     (void)tc_hmac_set_key(&prng->h, prng->key, sizeof(prng->key));
127 
128     /* use the new key to compute a new state variable v */
129     (void)tc_hmac_init(&prng->h);
130     (void)tc_hmac_update(&prng->h, prng->v, sizeof(prng->v));
131     (void)tc_hmac_final(prng->v, sizeof(prng->v), &prng->h);
132 }
133 
tc_hmac_prng_init(TCHmacPrng_t prng,const uint8_t * personalization,unsigned int plen)134 int tc_hmac_prng_init(TCHmacPrng_t prng,
135                       const uint8_t *personalization,
136                       unsigned int plen)
137 {
138 
139     /* input sanity check: */
140     if (prng == (TCHmacPrng_t) 0 ||
141             personalization == (uint8_t *) 0 ||
142             plen > MAX_PLEN) {
143         return TC_CRYPTO_FAIL;
144     }
145 
146     /* put the generator into a known state: */
147     _set(prng->key, 0x00, sizeof(prng->key));
148     _set(prng->v, 0x01, sizeof(prng->v));
149 
150     update(prng, personalization, plen, 0, 0);
151 
152     /* force a reseed before allowing tc_hmac_prng_generate to succeed: */
153     prng->countdown = 0;
154 
155     return TC_CRYPTO_SUCCESS;
156 }
157 
tc_hmac_prng_reseed(TCHmacPrng_t prng,const uint8_t * seed,unsigned int seedlen,const uint8_t * additional_input,unsigned int additionallen)158 int tc_hmac_prng_reseed(TCHmacPrng_t prng,
159                         const uint8_t *seed,
160                         unsigned int seedlen,
161                         const uint8_t *additional_input,
162                         unsigned int additionallen)
163 {
164 
165     /* input sanity check: */
166     if (prng == (TCHmacPrng_t) 0 ||
167             seed == (const uint8_t *) 0 ||
168             seedlen < MIN_SLEN ||
169             seedlen > MAX_SLEN) {
170         return TC_CRYPTO_FAIL;
171     }
172 
173     if (additional_input != (const uint8_t *) 0) {
174         /*
175          * Abort if additional_input is provided but has inappropriate
176          * length
177          */
178         if (additionallen == 0 ||
179                 additionallen > MAX_ALEN) {
180             return TC_CRYPTO_FAIL;
181         } else {
182             /* call update for the seed and additional_input */
183             update(prng, seed, seedlen, additional_input, additionallen);
184         }
185     } else {
186         /* call update only for the seed */
187         update(prng, seed, seedlen, 0, 0);
188     }
189 
190     /* ... and enable hmac_prng_generate */
191     prng->countdown = MAX_GENS;
192 
193     return TC_CRYPTO_SUCCESS;
194 }
195 
tc_hmac_prng_generate(uint8_t * out,unsigned int outlen,TCHmacPrng_t prng)196 int tc_hmac_prng_generate(uint8_t *out, unsigned int outlen, TCHmacPrng_t prng)
197 {
198     unsigned int bufferlen;
199 
200     /* input sanity check: */
201     if (out == (uint8_t *) 0 ||
202             prng == (TCHmacPrng_t) 0 ||
203             outlen == 0 ||
204             outlen > MAX_OUT) {
205         return TC_CRYPTO_FAIL;
206     } else if (prng->countdown == 0) {
207         return TC_HMAC_PRNG_RESEED_REQ;
208     }
209 
210     prng->countdown--;
211 
212     while (outlen != 0) {
213         /* configure the new prng key into the prng's instance of hmac */
214         tc_hmac_set_key(&prng->h, prng->key, sizeof(prng->key));
215 
216         /* operate HMAC in OFB mode to create "random" outputs */
217         (void)tc_hmac_init(&prng->h);
218         (void)tc_hmac_update(&prng->h, prng->v, sizeof(prng->v));
219         (void)tc_hmac_final(prng->v, sizeof(prng->v), &prng->h);
220 
221         bufferlen = (TC_SHA256_DIGEST_SIZE > outlen) ?
222                     outlen : TC_SHA256_DIGEST_SIZE;
223         (void)_copy(out, bufferlen, prng->v, bufferlen);
224 
225         out += bufferlen;
226         outlen = (outlen > TC_SHA256_DIGEST_SIZE) ?
227                  (outlen - TC_SHA256_DIGEST_SIZE) : 0;
228     }
229 
230     /* block future PRNG compromises from revealing past state */
231     update(prng, 0, 0, 0, 0);
232 
233     return TC_CRYPTO_SUCCESS;
234 }
235