2 * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include "modes_local.h"
16 #include "internal/thread_once.h"
17 #include "rand_local.h"
20 * Implementation of NIST SP 800-90A CTR DRBG.
23 static void inc_128(RAND_DRBG_CTR *ctr)
25 unsigned char *p = &ctr->V[0];
36 static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
40 if (in == NULL || inlen == 0)
44 * Any zero padding will have no effect on the result as we
45 * are XORing. So just process however much input we have.
47 n = inlen < ctr->keylen ? inlen : ctr->keylen;
48 for (i = 0; i < n; i++)
50 if (inlen <= ctr->keylen)
53 n = inlen - ctr->keylen;
55 /* Should never happen */
58 for (i = 0; i < n; i++)
59 ctr->V[i] ^= in[i + ctr->keylen];
63 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
65 __owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
66 const unsigned char *in, int len)
68 int i, outlen = AES_BLOCK_SIZE;
70 for (i = 0; i < len; i++)
73 if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, len)
81 * Handle several BCC operations for as much data as we need for K and X
83 __owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
85 unsigned char in_tmp[48];
86 unsigned char num_of_blk = 2;
88 memcpy(in_tmp, in, 16);
89 memcpy(in_tmp + 16, in, 16);
90 if (ctr->keylen != 16) {
91 memcpy(in_tmp + 32, in, 16);
94 return ctr_BCC_block(ctr, ctr->KX, in_tmp, AES_BLOCK_SIZE * num_of_blk);
98 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
101 __owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
103 unsigned char bltmp[48] = {0};
104 unsigned char num_of_blk;
106 memset(ctr->KX, 0, 48);
107 num_of_blk = ctr->keylen == 16 ? 2 : 3;
108 bltmp[(AES_BLOCK_SIZE * 1) + 3] = 1;
109 bltmp[(AES_BLOCK_SIZE * 2) + 3] = 2;
110 return ctr_BCC_block(ctr, ctr->KX, bltmp, num_of_blk * AES_BLOCK_SIZE);
114 * Process several blocks into BCC algorithm, some possibly partial
116 __owur static int ctr_BCC_update(RAND_DRBG_CTR *ctr,
117 const unsigned char *in, size_t inlen)
119 if (in == NULL || inlen == 0)
122 /* If we have partial block handle it first */
123 if (ctr->bltmp_pos) {
124 size_t left = 16 - ctr->bltmp_pos;
126 /* If we now have a complete block process it */
128 memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
129 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
137 /* Process zero or more complete blocks */
138 for (; inlen >= 16; in += 16, inlen -= 16) {
139 if (!ctr_BCC_blocks(ctr, in))
143 /* Copy any remaining partial block to the temporary buffer */
145 memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
146 ctr->bltmp_pos += inlen;
151 __owur static int ctr_BCC_final(RAND_DRBG_CTR *ctr)
153 if (ctr->bltmp_pos) {
154 memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
155 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
161 __owur static int ctr_df(RAND_DRBG_CTR *ctr,
162 const unsigned char *in1, size_t in1len,
163 const unsigned char *in2, size_t in2len,
164 const unsigned char *in3, size_t in3len)
166 static unsigned char c80 = 0x80;
168 unsigned char *p = ctr->bltmp;
169 int outlen = AES_BLOCK_SIZE;
171 if (!ctr_BCC_init(ctr))
179 inlen = in1len + in2len + in3len;
180 /* Initialise L||N in temporary block */
181 *p++ = (inlen >> 24) & 0xff;
182 *p++ = (inlen >> 16) & 0xff;
183 *p++ = (inlen >> 8) & 0xff;
186 /* NB keylen is at most 32 bytes */
190 *p = (unsigned char)((ctr->keylen + 16) & 0xff);
192 if (!ctr_BCC_update(ctr, in1, in1len)
193 || !ctr_BCC_update(ctr, in2, in2len)
194 || !ctr_BCC_update(ctr, in3, in3len)
195 || !ctr_BCC_update(ctr, &c80, 1)
196 || !ctr_BCC_final(ctr))
199 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->KX, NULL, -1))
201 /* X follows key K */
202 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX, &outlen, ctr->KX + ctr->keylen,
204 || outlen != AES_BLOCK_SIZE)
206 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 16, &outlen, ctr->KX,
208 || outlen != AES_BLOCK_SIZE)
210 if (ctr->keylen != 16)
211 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 32, &outlen,
212 ctr->KX + 16, AES_BLOCK_SIZE)
213 || outlen != AES_BLOCK_SIZE)
219 * NB the no-df Update in SP800-90A specifies a constant input length
220 * of seedlen, however other uses of this algorithm pad the input with
221 * zeroes if necessary and have up to two parameters XORed together,
222 * so we handle both cases in this function instead.
224 __owur static int ctr_update(RAND_DRBG *drbg,
225 const unsigned char *in1, size_t in1len,
226 const unsigned char *in2, size_t in2len,
227 const unsigned char *nonce, size_t noncelen)
229 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
230 int outlen = AES_BLOCK_SIZE;
231 unsigned char V_tmp[48], out[48];
234 /* correct key is already set up. */
235 memcpy(V_tmp, ctr->V, 16);
237 memcpy(V_tmp + 16, ctr->V, 16);
238 if (ctr->keylen == 16) {
242 memcpy(V_tmp + 32, ctr->V, 16);
245 if (!EVP_CipherUpdate(ctr->ctx_ecb, out, &outlen, V_tmp, len)
248 memcpy(ctr->K, out, ctr->keylen);
249 memcpy(ctr->V, out + ctr->keylen, 16);
251 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
252 /* If no input reuse existing derived value */
253 if (in1 != NULL || nonce != NULL || in2 != NULL)
254 if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
256 /* If this a reuse input in1len != 0 */
258 ctr_XOR(ctr, ctr->KX, drbg->seedlen);
260 ctr_XOR(ctr, in1, in1len);
261 ctr_XOR(ctr, in2, in2len);
264 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1)
265 || !EVP_CipherInit_ex(ctr->ctx_ctr, NULL, NULL, ctr->K, NULL, -1))
270 __owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
271 const unsigned char *entropy, size_t entropylen,
272 const unsigned char *nonce, size_t noncelen,
273 const unsigned char *pers, size_t perslen)
275 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
280 memset(ctr->K, 0, sizeof(ctr->K));
281 memset(ctr->V, 0, sizeof(ctr->V));
282 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1))
286 if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
291 __owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
292 const unsigned char *entropy, size_t entropylen,
293 const unsigned char *adin, size_t adinlen)
295 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
301 if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
306 static void ctr96_inc(unsigned char *counter)
318 __owur static int drbg_ctr_generate(RAND_DRBG *drbg,
319 unsigned char *out, size_t outlen,
320 const unsigned char *adin, size_t adinlen)
322 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
323 unsigned int ctr32, blocks;
326 if (adin != NULL && adinlen != 0) {
329 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
331 /* This means we reuse derived value */
332 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
345 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
350 memset(out, 0, outlen);
353 if (!EVP_CipherInit_ex(ctr->ctx_ctr,
354 NULL, NULL, NULL, ctr->V, -1))
358 * outlen has type size_t while EVP_CipherUpdate takes an
359 * int argument and thus cannot be guaranteed to process more
360 * than 2^31-1 bytes at a time. We process such huge generate
361 * requests in 2^30 byte chunks, which is the greatest multiple
362 * of AES block size lower than or equal to 2^31-1.
364 buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
365 blocks = (buflen + 15) / 16;
367 ctr32 = GETU32(ctr->V + 12) + blocks;
368 if (ctr32 < blocks) {
369 /* 32-bit counter overflow into V. */
372 buflen = blocks * 16;
377 PUTU32(ctr->V + 12, ctr32);
379 if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
387 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
392 static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
394 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ecb);
395 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ctr);
396 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
397 OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
401 static RAND_DRBG_METHOD drbg_ctr_meth = {
402 drbg_ctr_instantiate,
405 drbg_ctr_uninstantiate
408 int drbg_ctr_init(RAND_DRBG *drbg)
410 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
413 switch (drbg->type) {
415 /* This can't happen, but silence the compiler warning. */
417 case NID_aes_128_ctr:
419 ctr->cipher_ecb = EVP_aes_128_ecb();
420 ctr->cipher_ctr = EVP_aes_128_ctr();
422 case NID_aes_192_ctr:
424 ctr->cipher_ecb = EVP_aes_192_ecb();
425 ctr->cipher_ctr = EVP_aes_192_ctr();
427 case NID_aes_256_ctr:
429 ctr->cipher_ecb = EVP_aes_256_ecb();
430 ctr->cipher_ctr = EVP_aes_256_ctr();
434 drbg->meth = &drbg_ctr_meth;
436 ctr->keylen = keylen;
437 if (ctr->ctx_ecb == NULL)
438 ctr->ctx_ecb = EVP_CIPHER_CTX_new();
439 if (ctr->ctx_ctr == NULL)
440 ctr->ctx_ctr = EVP_CIPHER_CTX_new();
441 if (ctr->ctx_ecb == NULL || ctr->ctx_ctr == NULL
442 || !EVP_CipherInit_ex(ctr->ctx_ecb,
443 ctr->cipher_ecb, NULL, NULL, NULL, 1)
444 || !EVP_CipherInit_ex(ctr->ctx_ctr,
445 ctr->cipher_ctr, NULL, NULL, NULL, 1))
448 drbg->meth = &drbg_ctr_meth;
449 drbg->strength = keylen * 8;
450 drbg->seedlen = keylen + 16;
452 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
453 /* df initialisation */
454 static const unsigned char df_key[32] = {
455 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
456 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
457 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
458 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
461 if (ctr->ctx_df == NULL)
462 ctr->ctx_df = EVP_CIPHER_CTX_new();
463 if (ctr->ctx_df == NULL)
465 /* Set key schedule for df_key */
466 if (!EVP_CipherInit_ex(ctr->ctx_df,
467 ctr->cipher_ecb, NULL, df_key, NULL, 1))
470 drbg->min_entropylen = ctr->keylen;
471 drbg->max_entropylen = DRBG_MAX_LENGTH;
472 drbg->min_noncelen = drbg->min_entropylen / 2;
473 drbg->max_noncelen = DRBG_MAX_LENGTH;
474 drbg->max_perslen = DRBG_MAX_LENGTH;
475 drbg->max_adinlen = DRBG_MAX_LENGTH;
477 drbg->min_entropylen = drbg->seedlen;
478 drbg->max_entropylen = drbg->seedlen;
480 drbg->min_noncelen = 0;
481 drbg->max_noncelen = 0;
482 drbg->max_perslen = drbg->seedlen;
483 drbg->max_adinlen = drbg->seedlen;
486 drbg->max_request = 1 << 16;