2 * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include "internal/thread_once.h"
16 #include "internal/thread_once.h"
19 * Implementation of NIST SP 800-90A CTR DRBG.
22 static void inc_128(RAND_DRBG_CTR *ctr)
26 unsigned char *p = &ctr->V[15];
28 for (i = 0; i < 16; i++, p--) {
33 /* If we didn't wrap around, we're done. */
39 static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
43 if (in == NULL || inlen == 0)
47 * Any zero padding will have no effect on the result as we
48 * are XORing. So just process however much input we have.
50 n = inlen < ctr->keylen ? inlen : ctr->keylen;
51 for (i = 0; i < n; i++)
53 if (inlen <= ctr->keylen)
56 n = inlen - ctr->keylen;
58 /* Should never happen */
61 for (i = 0; i < n; i++)
62 ctr->V[i] ^= in[i + ctr->keylen];
66 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
68 __owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
69 const unsigned char *in)
71 int i, outlen = AES_BLOCK_SIZE;
73 for (i = 0; i < 16; i++)
76 if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, AES_BLOCK_SIZE)
77 || outlen != AES_BLOCK_SIZE)
84 * Handle several BCC operations for as much data as we need for K and X
86 __owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
88 if (!ctr_BCC_block(ctr, ctr->KX, in)
89 || !ctr_BCC_block(ctr, ctr->KX + 16, in))
91 if (ctr->keylen != 16 && !ctr_BCC_block(ctr, ctr->KX + 32, in))
97 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
100 __owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
102 memset(ctr->KX, 0, 48);
103 memset(ctr->bltmp, 0, 16);
104 if (!ctr_BCC_block(ctr, ctr->KX, ctr->bltmp))
107 if (!ctr_BCC_block(ctr, ctr->KX + 16, ctr->bltmp))
109 if (ctr->keylen != 16) {
111 if (!ctr_BCC_block(ctr, ctr->KX + 32, ctr->bltmp))
118 * Process several blocks into BCC algorithm, some possibly partial
120 __owur static int ctr_BCC_update(RAND_DRBG_CTR *ctr,
121 const unsigned char *in, size_t inlen)
123 if (in == NULL || inlen == 0)
126 /* If we have partial block handle it first */
127 if (ctr->bltmp_pos) {
128 size_t left = 16 - ctr->bltmp_pos;
130 /* If we now have a complete block process it */
132 memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
133 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
141 /* Process zero or more complete blocks */
142 for (; inlen >= 16; in += 16, inlen -= 16) {
143 if (!ctr_BCC_blocks(ctr, in))
147 /* Copy any remaining partial block to the temporary buffer */
149 memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
150 ctr->bltmp_pos += inlen;
155 __owur static int ctr_BCC_final(RAND_DRBG_CTR *ctr)
157 if (ctr->bltmp_pos) {
158 memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
159 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
165 __owur static int ctr_df(RAND_DRBG_CTR *ctr,
166 const unsigned char *in1, size_t in1len,
167 const unsigned char *in2, size_t in2len,
168 const unsigned char *in3, size_t in3len)
170 static unsigned char c80 = 0x80;
172 unsigned char *p = ctr->bltmp;
173 int outlen = AES_BLOCK_SIZE;
175 if (!ctr_BCC_init(ctr))
183 inlen = in1len + in2len + in3len;
184 /* Initialise L||N in temporary block */
185 *p++ = (inlen >> 24) & 0xff;
186 *p++ = (inlen >> 16) & 0xff;
187 *p++ = (inlen >> 8) & 0xff;
190 /* NB keylen is at most 32 bytes */
194 *p = (unsigned char)((ctr->keylen + 16) & 0xff);
196 if (!ctr_BCC_update(ctr, in1, in1len)
197 || !ctr_BCC_update(ctr, in2, in2len)
198 || !ctr_BCC_update(ctr, in3, in3len)
199 || !ctr_BCC_update(ctr, &c80, 1)
200 || !ctr_BCC_final(ctr))
203 if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->KX, NULL, 1))
205 /* X follows key K */
206 if (!EVP_CipherUpdate(ctr->ctx, ctr->KX, &outlen, ctr->KX + ctr->keylen,
208 || outlen != AES_BLOCK_SIZE)
210 if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 16, &outlen, ctr->KX,
212 || outlen != AES_BLOCK_SIZE)
214 if (ctr->keylen != 16)
215 if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 32, &outlen, ctr->KX + 16,
217 || outlen != AES_BLOCK_SIZE)
223 * NB the no-df Update in SP800-90A specifies a constant input length
224 * of seedlen, however other uses of this algorithm pad the input with
225 * zeroes if necessary and have up to two parameters XORed together,
226 * so we handle both cases in this function instead.
228 __owur static int ctr_update(RAND_DRBG *drbg,
229 const unsigned char *in1, size_t in1len,
230 const unsigned char *in2, size_t in2len,
231 const unsigned char *nonce, size_t noncelen)
233 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
234 int outlen = AES_BLOCK_SIZE;
236 /* correct key is already set up. */
238 if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outlen, ctr->V, AES_BLOCK_SIZE)
239 || outlen != AES_BLOCK_SIZE)
242 /* If keylen longer than 128 bits need extra encrypt */
243 if (ctr->keylen != 16) {
245 if (!EVP_CipherUpdate(ctr->ctx, ctr->K+16, &outlen, ctr->V,
247 || outlen != AES_BLOCK_SIZE)
251 if (!EVP_CipherUpdate(ctr->ctx, ctr->V, &outlen, ctr->V, AES_BLOCK_SIZE)
252 || outlen != AES_BLOCK_SIZE)
255 /* If 192 bit key part of V is on end of K */
256 if (ctr->keylen == 24) {
257 memcpy(ctr->V + 8, ctr->V, 8);
258 memcpy(ctr->V, ctr->K + 24, 8);
261 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
262 /* If no input reuse existing derived value */
263 if (in1 != NULL || nonce != NULL || in2 != NULL)
264 if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
266 /* If this a reuse input in1len != 0 */
268 ctr_XOR(ctr, ctr->KX, drbg->seedlen);
270 ctr_XOR(ctr, in1, in1len);
271 ctr_XOR(ctr, in2, in2len);
274 if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
279 __owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
280 const unsigned char *entropy, size_t entropylen,
281 const unsigned char *nonce, size_t noncelen,
282 const unsigned char *pers, size_t perslen)
284 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
289 memset(ctr->K, 0, sizeof(ctr->K));
290 memset(ctr->V, 0, sizeof(ctr->V));
291 if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
293 if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
298 __owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
299 const unsigned char *entropy, size_t entropylen,
300 const unsigned char *adin, size_t adinlen)
304 if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
309 __owur static int drbg_ctr_generate(RAND_DRBG *drbg,
310 unsigned char *out, size_t outlen,
311 const unsigned char *adin, size_t adinlen)
313 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
315 if (adin != NULL && adinlen != 0) {
316 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
318 /* This means we reuse derived value */
319 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
328 int outl = AES_BLOCK_SIZE;
332 /* Use K as temp space as it will be updated */
333 if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outl, ctr->V,
335 || outl != AES_BLOCK_SIZE)
337 memcpy(out, ctr->K, outlen);
340 if (!EVP_CipherUpdate(ctr->ctx, out, &outl, ctr->V, AES_BLOCK_SIZE)
341 || outl != AES_BLOCK_SIZE)
349 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
354 static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
356 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx);
357 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
358 OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
362 static RAND_DRBG_METHOD drbg_ctr_meth = {
363 drbg_ctr_instantiate,
366 drbg_ctr_uninstantiate
369 int drbg_ctr_init(RAND_DRBG *drbg)
371 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
374 switch (drbg->type) {
376 /* This can't happen, but silence the compiler warning. */
378 case NID_aes_128_ctr:
380 ctr->cipher = EVP_aes_128_ecb();
382 case NID_aes_192_ctr:
384 ctr->cipher = EVP_aes_192_ecb();
386 case NID_aes_256_ctr:
388 ctr->cipher = EVP_aes_256_ecb();
392 drbg->meth = &drbg_ctr_meth;
394 ctr->keylen = keylen;
395 if (ctr->ctx == NULL)
396 ctr->ctx = EVP_CIPHER_CTX_new();
397 if (ctr->ctx == NULL)
399 drbg->strength = keylen * 8;
400 drbg->seedlen = keylen + 16;
402 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
403 /* df initialisation */
404 static const unsigned char df_key[32] = {
405 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
406 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
407 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
408 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
411 if (ctr->ctx_df == NULL)
412 ctr->ctx_df = EVP_CIPHER_CTX_new();
413 if (ctr->ctx_df == NULL)
415 /* Set key schedule for df_key */
416 if (!EVP_CipherInit_ex(ctr->ctx_df, ctr->cipher, NULL, df_key, NULL, 1))
419 drbg->min_entropylen = ctr->keylen;
420 drbg->max_entropylen = DRBG_MAX_LENGTH;
421 drbg->min_noncelen = drbg->min_entropylen / 2;
422 drbg->max_noncelen = DRBG_MAX_LENGTH;
423 drbg->max_perslen = DRBG_MAX_LENGTH;
424 drbg->max_adinlen = DRBG_MAX_LENGTH;
426 drbg->min_entropylen = drbg->seedlen;
427 drbg->max_entropylen = drbg->seedlen;
429 drbg->min_noncelen = 0;
430 drbg->max_noncelen = 0;
431 drbg->max_perslen = drbg->seedlen;
432 drbg->max_adinlen = drbg->seedlen;
435 drbg->max_request = 1 << 16;