/* * Simplified HMAC_DRBG initialisation (for use with deterministic ECDSA) */ SSL_ROM_TEXT_SECTION int hmac_drbg_init_buf( hmac_drbg_context *ctx, const md_info_t * md_info, const unsigned char *data, size_t data_len ) { int ret; memset( ctx, 0, sizeof( hmac_drbg_context ) ); md_init( &ctx->md_ctx ); if( ( ret = md_init_ctx( &ctx->md_ctx, md_info ) ) != 0 ) return( ret ); /* * Set initial working state. * Use the V memory location, which is currently all 0, to initialize the * MD context with an all-zero key. Then set V to its initial value. */ md_hmac_starts( &ctx->md_ctx, ctx->V, md_info->size ); memset( ctx->V, 0x01, md_info->size ); hmac_drbg_update( ctx, data, data_len ); return( 0 ); }
/* * HMAC_DRBG update, using optional additional data (10.1.2.2) */ SSL_ROM_TEXT_SECTION void hmac_drbg_update( hmac_drbg_context *ctx, const unsigned char *additional, size_t add_len ) { size_t md_len = ctx->md_ctx.md_info->size; unsigned char rounds = ( additional != NULL && add_len != 0 ) ? 2 : 1; unsigned char sep[1]; unsigned char K[POLARSSL_MD_MAX_SIZE]; for( sep[0] = 0; sep[0] < rounds; sep[0]++ ) { /* Step 1 or 4 */ md_hmac_reset( &ctx->md_ctx ); md_hmac_update( &ctx->md_ctx, ctx->V, md_len ); md_hmac_update( &ctx->md_ctx, sep, 1 ); if( rounds == 2 ) md_hmac_update( &ctx->md_ctx, additional, add_len ); md_hmac_finish( &ctx->md_ctx, K ); /* Step 2 or 5 */ md_hmac_starts( &ctx->md_ctx, K, md_len ); md_hmac_update( &ctx->md_ctx, ctx->V, md_len ); md_hmac_finish( &ctx->md_ctx, ctx->V ); } }
/* * HMAC_DRBG initialisation (10.1.2.3 + 9.1) */ SSL_ROM_TEXT_SECTION int hmac_drbg_init( hmac_drbg_context *ctx, const md_info_t * md_info, int (*f_entropy)(void *, unsigned char *, size_t), void *p_entropy, const unsigned char *custom, size_t len ) { int ret; size_t entropy_len; memset( ctx, 0, sizeof( hmac_drbg_context ) ); md_init( &ctx->md_ctx ); if( ( ret = md_init_ctx( &ctx->md_ctx, md_info ) ) != 0 ) return( ret ); /* * Set initial working state. * Use the V memory location, which is currently all 0, to initialize the * MD context with an all-zero key. Then set V to its initial value. */ md_hmac_starts( &ctx->md_ctx, ctx->V, md_info->size ); memset( ctx->V, 0x01, md_info->size ); ctx->f_entropy = f_entropy; ctx->p_entropy = p_entropy; ctx->reseed_interval = POLARSSL_HMAC_DRBG_RESEED_INTERVAL; /* * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by * each hash function, then according to SP800-90A rev1 10.1 table 2, * min_entropy_len (in bits) is security_strength. * * (This also matches the sizes used in the NIST test vectors.) */ entropy_len = md_info->size <= 20 ? 16 : /* 160-bits hash -> 128 bits */ md_info->size <= 28 ? 24 : /* 224-bits hash -> 192 bits */ 32; /* better (256+) -> 256 bits */ /* * For initialisation, use more entropy to emulate a nonce * (Again, matches test vectors.) */ ctx->entropy_len = entropy_len * 3 / 2; if( ( ret = hmac_drbg_reseed( ctx, custom, len ) ) != 0 ) return( ret ); ctx->entropy_len = entropy_len; return( 0 ); }
/* * TODO: re-enable dmsg for crypto debug */ void hmac_ctx_init (md_context_t *ctx, const uint8_t *key, int key_len, const md_info_t *kt) { ASSERT(NULL != kt && NULL != ctx); CLEAR(*ctx); ASSERT(0 == md_init_ctx(ctx, kt)); ASSERT(0 == md_hmac_starts(ctx, key, key_len)); /* make sure we used a big enough key */ ASSERT (md_get_size(kt) <= key_len); }
int pkcs5_pbkdf2_hmac( md_context_t *ctx, const unsigned char *password, size_t plen, const unsigned char *salt, size_t slen, unsigned int iteration_count, uint32_t key_length, unsigned char *output ) { int ret, j; unsigned int i; unsigned char md1[POLARSSL_MD_MAX_SIZE]; unsigned char work[POLARSSL_MD_MAX_SIZE]; unsigned char md_size = md_get_size( ctx->md_info ); size_t use_len; unsigned char *out_p = output; unsigned char counter[4]; memset( counter, 0, 4 ); counter[3] = 1; if( iteration_count > 0xFFFFFFFF ) return( POLARSSL_ERR_PKCS5_BAD_INPUT_DATA ); while( key_length ) { // U1 ends up in work // if( ( ret = md_hmac_starts( ctx, password, plen ) ) != 0 ) return( ret ); if( ( ret = md_hmac_update( ctx, salt, slen ) ) != 0 ) return( ret ); if( ( ret = md_hmac_update( ctx, counter, 4 ) ) != 0 ) return( ret ); if( ( ret = md_hmac_finish( ctx, work ) ) != 0 ) return( ret ); memcpy( md1, work, md_size ); for ( i = 1; i < iteration_count; i++ ) { // U2 ends up in md1 // if( ( ret = md_hmac_starts( ctx, password, plen ) ) != 0 ) return( ret ); if( ( ret = md_hmac_update( ctx, md1, md_size ) ) != 0 ) return( ret ); if( ( ret = md_hmac_finish( ctx, md1 ) ) != 0 ) return( ret ); // U1 xor U2 // for( j = 0; j < md_size; j++ ) work[j] ^= md1[j]; } use_len = ( key_length < md_size ) ? key_length : md_size; memcpy( out_p, work, use_len ); key_length -= use_len; out_p += use_len; for( i = 4; i > 0; i-- ) if( ++counter[i - 1] != 0 ) break; } return( 0 ); }