2 * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include "modes_local.h"
16 #include "internal/thread_once.h"
17 #include "rand_local.h"
20 * Implementation of NIST SP 800-90A CTR DRBG.
23 static void inc_128(RAND_DRBG_CTR *ctr)
25 unsigned char *p = &ctr->V[0];
36 static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
40 if (in == NULL || inlen == 0)
44 * Any zero padding will have no effect on the result as we
45 * are XORing. So just process however much input we have.
47 n = inlen < ctr->keylen ? inlen : ctr->keylen;
48 for (i = 0; i < n; i++)
50 if (inlen <= ctr->keylen)
53 n = inlen - ctr->keylen;
55 /* Should never happen */
58 for (i = 0; i < n; i++)
59 ctr->V[i] ^= in[i + ctr->keylen];
63 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
65 __owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
66 const unsigned char *in)
68 int i, outlen = AES_BLOCK_SIZE;
70 for (i = 0; i < 16; i++)
73 if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, AES_BLOCK_SIZE)
74 || outlen != AES_BLOCK_SIZE)
81 * Handle several BCC operations for as much data as we need for K and X
83 __owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
85 if (!ctr_BCC_block(ctr, ctr->KX, in)
86 || !ctr_BCC_block(ctr, ctr->KX + 16, in))
88 if (ctr->keylen != 16 && !ctr_BCC_block(ctr, ctr->KX + 32, in))
94 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
97 __owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
99 memset(ctr->KX, 0, 48);
100 memset(ctr->bltmp, 0, 16);
101 if (!ctr_BCC_block(ctr, ctr->KX, ctr->bltmp))
104 if (!ctr_BCC_block(ctr, ctr->KX + 16, ctr->bltmp))
106 if (ctr->keylen != 16) {
108 if (!ctr_BCC_block(ctr, ctr->KX + 32, ctr->bltmp))
115 * Process several blocks into BCC algorithm, some possibly partial
117 __owur static int ctr_BCC_update(RAND_DRBG_CTR *ctr,
118 const unsigned char *in, size_t inlen)
120 if (in == NULL || inlen == 0)
123 /* If we have partial block handle it first */
124 if (ctr->bltmp_pos) {
125 size_t left = 16 - ctr->bltmp_pos;
127 /* If we now have a complete block process it */
129 memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
130 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
138 /* Process zero or more complete blocks */
139 for (; inlen >= 16; in += 16, inlen -= 16) {
140 if (!ctr_BCC_blocks(ctr, in))
144 /* Copy any remaining partial block to the temporary buffer */
146 memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
147 ctr->bltmp_pos += inlen;
152 __owur static int ctr_BCC_final(RAND_DRBG_CTR *ctr)
154 if (ctr->bltmp_pos) {
155 memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
156 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
162 __owur static int ctr_df(RAND_DRBG_CTR *ctr,
163 const unsigned char *in1, size_t in1len,
164 const unsigned char *in2, size_t in2len,
165 const unsigned char *in3, size_t in3len)
167 static unsigned char c80 = 0x80;
169 unsigned char *p = ctr->bltmp;
170 int outlen = AES_BLOCK_SIZE;
172 if (!ctr_BCC_init(ctr))
180 inlen = in1len + in2len + in3len;
181 /* Initialise L||N in temporary block */
182 *p++ = (inlen >> 24) & 0xff;
183 *p++ = (inlen >> 16) & 0xff;
184 *p++ = (inlen >> 8) & 0xff;
187 /* NB keylen is at most 32 bytes */
191 *p = (unsigned char)((ctr->keylen + 16) & 0xff);
193 if (!ctr_BCC_update(ctr, in1, in1len)
194 || !ctr_BCC_update(ctr, in2, in2len)
195 || !ctr_BCC_update(ctr, in3, in3len)
196 || !ctr_BCC_update(ctr, &c80, 1)
197 || !ctr_BCC_final(ctr))
200 if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->KX, NULL, 1))
202 /* X follows key K */
203 if (!EVP_CipherUpdate(ctr->ctx, ctr->KX, &outlen, ctr->KX + ctr->keylen,
205 || outlen != AES_BLOCK_SIZE)
207 if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 16, &outlen, ctr->KX,
209 || outlen != AES_BLOCK_SIZE)
211 if (ctr->keylen != 16)
212 if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 32, &outlen, ctr->KX + 16,
214 || outlen != AES_BLOCK_SIZE)
220 * NB the no-df Update in SP800-90A specifies a constant input length
221 * of seedlen, however other uses of this algorithm pad the input with
222 * zeroes if necessary and have up to two parameters XORed together,
223 * so we handle both cases in this function instead.
225 __owur static int ctr_update(RAND_DRBG *drbg,
226 const unsigned char *in1, size_t in1len,
227 const unsigned char *in2, size_t in2len,
228 const unsigned char *nonce, size_t noncelen)
230 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
231 int outlen = AES_BLOCK_SIZE;
233 /* correct key is already set up. */
235 if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outlen, ctr->V, AES_BLOCK_SIZE)
236 || outlen != AES_BLOCK_SIZE)
239 /* If keylen longer than 128 bits need extra encrypt */
240 if (ctr->keylen != 16) {
242 if (!EVP_CipherUpdate(ctr->ctx, ctr->K+16, &outlen, ctr->V,
244 || outlen != AES_BLOCK_SIZE)
248 if (!EVP_CipherUpdate(ctr->ctx, ctr->V, &outlen, ctr->V, AES_BLOCK_SIZE)
249 || outlen != AES_BLOCK_SIZE)
252 /* If 192 bit key part of V is on end of K */
253 if (ctr->keylen == 24) {
254 memcpy(ctr->V + 8, ctr->V, 8);
255 memcpy(ctr->V, ctr->K + 24, 8);
258 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
259 /* If no input reuse existing derived value */
260 if (in1 != NULL || nonce != NULL || in2 != NULL)
261 if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
263 /* If this a reuse input in1len != 0 */
265 ctr_XOR(ctr, ctr->KX, drbg->seedlen);
267 ctr_XOR(ctr, in1, in1len);
268 ctr_XOR(ctr, in2, in2len);
271 if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
276 __owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
277 const unsigned char *entropy, size_t entropylen,
278 const unsigned char *nonce, size_t noncelen,
279 const unsigned char *pers, size_t perslen)
281 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
286 memset(ctr->K, 0, sizeof(ctr->K));
287 memset(ctr->V, 0, sizeof(ctr->V));
288 if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
290 if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
295 __owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
296 const unsigned char *entropy, size_t entropylen,
297 const unsigned char *adin, size_t adinlen)
301 if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
306 __owur static int drbg_ctr_generate(RAND_DRBG *drbg,
307 unsigned char *out, size_t outlen,
308 const unsigned char *adin, size_t adinlen)
310 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
312 if (adin != NULL && adinlen != 0) {
313 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
315 /* This means we reuse derived value */
316 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
325 int outl = AES_BLOCK_SIZE;
329 /* Use K as temp space as it will be updated */
330 if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outl, ctr->V,
332 || outl != AES_BLOCK_SIZE)
334 memcpy(out, ctr->K, outlen);
337 if (!EVP_CipherUpdate(ctr->ctx, out, &outl, ctr->V, AES_BLOCK_SIZE)
338 || outl != AES_BLOCK_SIZE)
346 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
351 static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
353 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx);
354 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
355 OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
359 static RAND_DRBG_METHOD drbg_ctr_meth = {
360 drbg_ctr_instantiate,
363 drbg_ctr_uninstantiate
366 int drbg_ctr_init(RAND_DRBG *drbg)
368 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
371 switch (drbg->type) {
373 /* This can't happen, but silence the compiler warning. */
375 case NID_aes_128_ctr:
377 ctr->cipher = EVP_aes_128_ecb();
379 case NID_aes_192_ctr:
381 ctr->cipher = EVP_aes_192_ecb();
383 case NID_aes_256_ctr:
385 ctr->cipher = EVP_aes_256_ecb();
389 drbg->meth = &drbg_ctr_meth;
391 ctr->keylen = keylen;
392 if (ctr->ctx == NULL)
393 ctr->ctx = EVP_CIPHER_CTX_new();
394 if (ctr->ctx == NULL)
396 drbg->strength = keylen * 8;
397 drbg->seedlen = keylen + 16;
399 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
400 /* df initialisation */
401 static const unsigned char df_key[32] = {
402 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
403 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
404 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
405 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
408 if (ctr->ctx_df == NULL)
409 ctr->ctx_df = EVP_CIPHER_CTX_new();
410 if (ctr->ctx_df == NULL)
412 /* Set key schedule for df_key */
413 if (!EVP_CipherInit_ex(ctr->ctx_df, ctr->cipher, NULL, df_key, NULL, 1))
416 drbg->min_entropylen = ctr->keylen;
417 drbg->max_entropylen = DRBG_MAX_LENGTH;
418 drbg->min_noncelen = drbg->min_entropylen / 2;
419 drbg->max_noncelen = DRBG_MAX_LENGTH;
420 drbg->max_perslen = DRBG_MAX_LENGTH;
421 drbg->max_adinlen = DRBG_MAX_LENGTH;
423 drbg->min_entropylen = drbg->seedlen;
424 drbg->max_entropylen = drbg->seedlen;
426 drbg->min_noncelen = 0;
427 drbg->max_noncelen = 0;
428 drbg->max_perslen = drbg->seedlen;
429 drbg->max_adinlen = drbg->seedlen;
432 drbg->max_request = 1 << 16;