2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/bn.h>
11 #include <openssl/evp.h>
12 #include <openssl/core_names.h>
13 #include <openssl/kdf.h>
14 #include "internal/deterministic_nonce.h"
17 * Convert a Bit String to an Integer (See RFC 6979 Section 2.3.2)
20 * out The returned Integer as a BIGNUM
21 * qlen_bits The maximum size of the returned integer in bits. The returned
22 * Integer is shifted right if inlen is larger than qlen_bits..
23 * in, inlen The input Bit String (in bytes).
24 * Returns: 1 if successful, or 0 otherwise.
26 static int bits2int(BIGNUM *out, int qlen_bits,
27 const unsigned char *in, size_t inlen)
29 int blen_bits = inlen * 8;
32 if (BN_bin2bn(in, (int)inlen, out) == NULL)
35 shift = blen_bits - qlen_bits;
37 return BN_rshift(out, out, shift);
42 * Convert an Integer to an Octet String (See RFC 6979 2.3.3).
43 * The value is zero padded if required.
46 * out The returned Octet String
47 * num The input Integer
48 * rlen The required size of the returned Octet String in bytes
49 * Returns: 1 if successful, or 0 otherwis
51 static int int2octets(unsigned char *out, const BIGNUM *num, int rlen)
53 return BN_bn2binpad(num, out, rlen) >= 0;
57 * Convert a Bit String to an Octet String (See RFC 6979 Section 2.3.4)
60 * out The returned octet string.
62 * qlen_bits The length of q in bits
63 * rlen The value of qlen_bits rounded up to the nearest 8 bits.
64 * in, inlen The input bit string (in bytes)
65 * Returns: 1 if successful, or 0 otherwise.
67 static int bits2octets(unsigned char *out, const BIGNUM *q, int qlen_bits,
68 int rlen, const unsigned char *in, size_t inlen)
74 || !bits2int(z, qlen_bits, in, inlen))
77 /* z2 = z1 mod q (Do a simple subtract, since z1 < 2^qlen_bits) */
82 ret = int2octets(out, z, rlen);
89 * Setup a KDF HMAC_DRBG object using fixed entropy and nonce data.
92 * digestname The digest name for the HMAC
93 * entropy, entropylen A fixed input entropy buffer
94 * nonce, noncelen A fixed input nonce buffer
95 * libctx, propq Are used for fetching algorithms
97 * Returns: The created KDF HMAC_DRBG object if successful, or NULL otherwise.
99 static EVP_KDF_CTX *kdf_setup(const char *digestname,
100 const unsigned char *entropy, size_t entropylen,
101 const unsigned char *nonce, size_t noncelen,
102 OSSL_LIB_CTX *libctx, const char *propq)
104 EVP_KDF_CTX *ctx = NULL;
106 OSSL_PARAM params[5], *p;
108 kdf = EVP_KDF_fetch(libctx, "HMAC-DRBG-KDF", propq);
109 ctx = EVP_KDF_CTX_new(kdf);
115 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
116 (char *)digestname, 0);
118 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_PROPERTIES,
120 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_HMACDRBG_ENTROPY,
121 (void *)entropy, entropylen);
122 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_HMACDRBG_NONCE,
123 (void *)nonce, noncelen);
124 *p = OSSL_PARAM_construct_end();
126 if (EVP_KDF_CTX_set_params(ctx, params) <= 0)
131 EVP_KDF_CTX_free(ctx);
136 * Generate a Deterministic nonce 'k' for DSA/ECDSA as defined in
137 * RFC 6979 Section 3.3. "Alternate Description of the Generation of k"
140 * out Returns the generated deterministic nonce 'k'
141 * q A large prime number used for modulus operations for DSA and ECDSA.
142 * priv The private key in the range [1, q-1]
143 * hm, hmlen The digested message buffer in bytes
144 * digestname The digest name used for signing. It is used as the HMAC digest.
145 * libctx, propq Used for fetching algorithms
147 * Returns: 1 if successful, or 0 otherwise.
149 int ossl_gen_deterministic_nonce_rfc6979(BIGNUM *out, const BIGNUM *q,
151 const unsigned char *hm, size_t hmlen,
152 const char *digestname,
153 OSSL_LIB_CTX *libctx,
156 EVP_KDF_CTX *kdfctx = NULL;
157 int ret = 0, rlen = 0, qlen_bits = 0;
158 unsigned char *entropyx = NULL, *nonceh = NULL, *T = NULL;
164 qlen_bits = BN_num_bits(q);
168 /* Note rlen used here is in bytes since the input values are byte arrays */
169 rlen = (qlen_bits + 7) / 8;
172 /* Use a single alloc for the buffers T, nonceh and entropyx */
173 T = (unsigned char *)OPENSSL_zalloc(allocsz);
177 entropyx = nonceh + rlen;
179 if (!int2octets(entropyx, priv, rlen)
180 || !bits2octets(nonceh, q, qlen_bits, rlen, hm, hmlen))
183 kdfctx = kdf_setup(digestname, entropyx, rlen, nonceh, rlen, libctx, propq);
188 if (!EVP_KDF_derive(kdfctx, T, rlen, NULL)
189 || !bits2int(out, qlen_bits, T, rlen))
191 } while (BN_is_zero(out) || BN_is_one(out) || BN_cmp(out, q) >= 0);
195 EVP_KDF_CTX_free(kdfctx);
196 OPENSSL_clear_free(T, allocsz);