2 * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include "internal/thread_once.h"
19 * Implementation of NIST SP 800-90A CTR DRBG.
21 static void inc_128(RAND_DRBG_CTR *ctr)
25 unsigned char *p = &ctr->V[15];
27 for (i = 0; i < 16; i++, p--) {
32 /* If we didn't wrap around, we're done. */
38 static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
42 if (in == NULL || inlen == 0)
46 * Any zero padding will have no effect on the result as we
47 * are XORing. So just process however much input we have.
49 n = inlen < ctr->keylen ? inlen : ctr->keylen;
50 for (i = 0; i < n; i++)
52 if (inlen <= ctr->keylen)
55 n = inlen - ctr->keylen;
57 /* Should never happen */
60 for (i = 0; i < n; i++)
61 ctr->V[i] ^= in[i + ctr->keylen];
65 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
67 __owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
68 const unsigned char *in)
70 int i, outlen = AES_BLOCK_SIZE;
72 for (i = 0; i < 16; i++)
75 if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, AES_BLOCK_SIZE)
76 || outlen != AES_BLOCK_SIZE)
83 * Handle several BCC operations for as much data as we need for K and X
85 __owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
87 if (!ctr_BCC_block(ctr, ctr->KX, in)
88 || !ctr_BCC_block(ctr, ctr->KX + 16, in))
90 if (ctr->keylen != 16 && !ctr_BCC_block(ctr, ctr->KX + 32, in))
96 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
99 __owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
101 memset(ctr->KX, 0, 48);
102 memset(ctr->bltmp, 0, 16);
103 if (!ctr_BCC_block(ctr, ctr->KX, ctr->bltmp))
106 if (!ctr_BCC_block(ctr, ctr->KX + 16, ctr->bltmp))
108 if (ctr->keylen != 16) {
110 if (!ctr_BCC_block(ctr, ctr->KX + 32, ctr->bltmp))
117 * Process several blocks into BCC algorithm, some possibly partial
119 __owur static int ctr_BCC_update(RAND_DRBG_CTR *ctr,
120 const unsigned char *in, size_t inlen)
122 if (in == NULL || inlen == 0)
125 /* If we have partial block handle it first */
126 if (ctr->bltmp_pos) {
127 size_t left = 16 - ctr->bltmp_pos;
129 /* If we now have a complete block process it */
131 memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
132 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
140 /* Process zero or more complete blocks */
141 for (; inlen >= 16; in += 16, inlen -= 16) {
142 if (!ctr_BCC_blocks(ctr, in))
146 /* Copy any remaining partial block to the temporary buffer */
148 memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
149 ctr->bltmp_pos += inlen;
154 __owur static int ctr_BCC_final(RAND_DRBG_CTR *ctr)
156 if (ctr->bltmp_pos) {
157 memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
158 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
164 __owur static int ctr_df(RAND_DRBG_CTR *ctr,
165 const unsigned char *in1, size_t in1len,
166 const unsigned char *in2, size_t in2len,
167 const unsigned char *in3, size_t in3len)
169 static unsigned char c80 = 0x80;
171 unsigned char *p = ctr->bltmp;
172 int outlen = AES_BLOCK_SIZE;
174 if (!ctr_BCC_init(ctr))
182 inlen = in1len + in2len + in3len;
183 /* Initialise L||N in temporary block */
184 *p++ = (inlen >> 24) & 0xff;
185 *p++ = (inlen >> 16) & 0xff;
186 *p++ = (inlen >> 8) & 0xff;
189 /* NB keylen is at most 32 bytes */
193 *p = (unsigned char)((ctr->keylen + 16) & 0xff);
195 if (!ctr_BCC_update(ctr, in1, in1len)
196 || !ctr_BCC_update(ctr, in2, in2len)
197 || !ctr_BCC_update(ctr, in3, in3len)
198 || !ctr_BCC_update(ctr, &c80, 1)
199 || !ctr_BCC_final(ctr))
202 if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->KX, NULL, 1))
204 /* X follows key K */
205 if (!EVP_CipherUpdate(ctr->ctx, ctr->KX, &outlen, ctr->KX + ctr->keylen,
207 || outlen != AES_BLOCK_SIZE)
209 if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 16, &outlen, ctr->KX,
211 || outlen != AES_BLOCK_SIZE)
213 if (ctr->keylen != 16)
214 if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 32, &outlen, ctr->KX + 16,
216 || outlen != AES_BLOCK_SIZE)
222 * NB the no-df Update in SP800-90A specifies a constant input length
223 * of seedlen, however other uses of this algorithm pad the input with
224 * zeroes if necessary and have up to two parameters XORed together,
225 * so we handle both cases in this function instead.
227 __owur static int ctr_update(RAND_DRBG *drbg,
228 const unsigned char *in1, size_t in1len,
229 const unsigned char *in2, size_t in2len,
230 const unsigned char *nonce, size_t noncelen)
232 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
233 int outlen = AES_BLOCK_SIZE;
235 /* correct key is already set up. */
237 if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outlen, ctr->V, AES_BLOCK_SIZE)
238 || outlen != AES_BLOCK_SIZE)
241 /* If keylen longer than 128 bits need extra encrypt */
242 if (ctr->keylen != 16) {
244 if (!EVP_CipherUpdate(ctr->ctx, ctr->K+16, &outlen, ctr->V,
246 || outlen != AES_BLOCK_SIZE)
250 if (!EVP_CipherUpdate(ctr->ctx, ctr->V, &outlen, ctr->V, AES_BLOCK_SIZE)
251 || outlen != AES_BLOCK_SIZE)
254 /* If 192 bit key part of V is on end of K */
255 if (ctr->keylen == 24) {
256 memcpy(ctr->V + 8, ctr->V, 8);
257 memcpy(ctr->V, ctr->K + 24, 8);
260 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
261 /* If no input reuse existing derived value */
262 if (in1 != NULL || nonce != NULL || in2 != NULL)
263 if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
265 /* If this a reuse input in1len != 0 */
267 ctr_XOR(ctr, ctr->KX, drbg->seedlen);
269 ctr_XOR(ctr, in1, in1len);
270 ctr_XOR(ctr, in2, in2len);
273 if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
278 __owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
279 const unsigned char *entropy, size_t entropylen,
280 const unsigned char *nonce, size_t noncelen,
281 const unsigned char *pers, size_t perslen)
283 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
288 memset(ctr->K, 0, sizeof(ctr->K));
289 memset(ctr->V, 0, sizeof(ctr->V));
290 if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
292 if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
297 __owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
298 const unsigned char *entropy, size_t entropylen,
299 const unsigned char *adin, size_t adinlen)
303 if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
308 __owur static int drbg_ctr_generate(RAND_DRBG *drbg,
309 unsigned char *out, size_t outlen,
310 const unsigned char *adin, size_t adinlen)
312 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
314 if (adin != NULL && adinlen != 0) {
315 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
317 /* This means we reuse derived value */
318 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
327 int outl = AES_BLOCK_SIZE;
331 /* Use K as temp space as it will be updated */
332 if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outl, ctr->V,
334 || outl != AES_BLOCK_SIZE)
336 memcpy(out, ctr->K, outlen);
339 if (!EVP_CipherUpdate(ctr->ctx, out, &outl, ctr->V, AES_BLOCK_SIZE)
340 || outl != AES_BLOCK_SIZE)
348 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
353 static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
355 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx);
356 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
357 OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
361 static RAND_DRBG_METHOD drbg_ctr_meth = {
362 drbg_ctr_instantiate,
365 drbg_ctr_uninstantiate
368 int drbg_ctr_init(RAND_DRBG *drbg)
370 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
373 switch (drbg->type) {
375 /* This can't happen, but silence the compiler warning. */
377 case NID_aes_128_ctr:
379 ctr->cipher = EVP_aes_128_ecb();
381 case NID_aes_192_ctr:
383 ctr->cipher = EVP_aes_192_ecb();
385 case NID_aes_256_ctr:
387 ctr->cipher = EVP_aes_256_ecb();
391 drbg->meth = &drbg_ctr_meth;
393 ctr->keylen = keylen;
394 if (ctr->ctx == NULL)
395 ctr->ctx = EVP_CIPHER_CTX_new();
396 if (ctr->ctx == NULL)
398 drbg->strength = keylen * 8;
399 drbg->seedlen = keylen + 16;
401 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
402 /* df initialisation */
403 static const unsigned char df_key[32] = {
404 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
405 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
406 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
407 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
410 if (ctr->ctx_df == NULL)
411 ctr->ctx_df = EVP_CIPHER_CTX_new();
412 if (ctr->ctx_df == NULL)
414 /* Set key schedule for df_key */
415 if (!EVP_CipherInit_ex(ctr->ctx_df, ctr->cipher, NULL, df_key, NULL, 1))
418 drbg->min_entropylen = ctr->keylen;
419 drbg->max_entropylen = DRBG_MAX_LENGTH;
420 drbg->min_noncelen = drbg->min_entropylen / 2;
421 drbg->max_noncelen = DRBG_MAX_LENGTH;
422 drbg->max_perslen = DRBG_MAX_LENGTH;
423 drbg->max_adinlen = DRBG_MAX_LENGTH;
425 drbg->min_entropylen = drbg->seedlen;
426 drbg->max_entropylen = drbg->seedlen;
428 drbg->min_noncelen = 0;
429 drbg->max_noncelen = 0;
430 drbg->max_perslen = drbg->seedlen;
431 drbg->max_adinlen = drbg->seedlen;
434 drbg->max_request = 1 << 16;