2 * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include "internal/thread_once.h"
19 * Implementation of NIST SP 800-90A CTR DRBG.
21 static void inc_128(RAND_DRBG_CTR *ctr)
25 unsigned char *p = &ctr->V[15];
27 for (i = 0; i < 16; i++, p--) {
32 /* If we didn't wrap around, we're done. */
38 static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
42 if (in == NULL || inlen == 0)
46 * Any zero padding will have no effect on the result as we
47 * are XORing. So just process however much input we have.
49 n = inlen < ctr->keylen ? inlen : ctr->keylen;
50 for (i = 0; i < n; i++)
52 if (inlen <= ctr->keylen)
55 n = inlen - ctr->keylen;
57 /* Should never happen */
60 for (i = 0; i < n; i++)
61 ctr->V[i] ^= in[i + ctr->keylen];
65 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
67 __owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
68 const unsigned char *in)
70 int i, outlen = AES_BLOCK_SIZE;
72 for (i = 0; i < 16; i++)
75 if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, AES_BLOCK_SIZE)
76 || outlen != AES_BLOCK_SIZE)
83 * Handle several BCC operations for as much data as we need for K and X
85 __owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
87 if (!ctr_BCC_block(ctr, ctr->KX, in)
88 || !ctr_BCC_block(ctr, ctr->KX + 16, in))
90 if (ctr->keylen != 16 && !ctr_BCC_block(ctr, ctr->KX + 32, in))
96 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
99 __owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
101 memset(ctr->KX, 0, 48);
102 memset(ctr->bltmp, 0, 16);
103 if (!ctr_BCC_block(ctr, ctr->KX, ctr->bltmp))
106 if (!ctr_BCC_block(ctr, ctr->KX + 16, ctr->bltmp))
108 if (ctr->keylen != 16) {
110 if (!ctr_BCC_block(ctr, ctr->KX + 32, ctr->bltmp))
117 * Process several blocks into BCC algorithm, some possibly partial
119 __owur static int ctr_BCC_update(RAND_DRBG_CTR *ctr,
120 const unsigned char *in, size_t inlen)
122 if (in == NULL || inlen == 0)
125 /* If we have partial block handle it first */
126 if (ctr->bltmp_pos) {
127 size_t left = 16 - ctr->bltmp_pos;
129 /* If we now have a complete block process it */
131 memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
132 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
140 /* Process zero or more complete blocks */
141 for (; inlen >= 16; in += 16, inlen -= 16) {
142 if (!ctr_BCC_blocks(ctr, in))
146 /* Copy any remaining partial block to the temporary buffer */
148 memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
149 ctr->bltmp_pos += inlen;
154 __owur static int ctr_BCC_final(RAND_DRBG_CTR *ctr)
156 if (ctr->bltmp_pos) {
157 memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
158 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
164 __owur static int ctr_df(RAND_DRBG_CTR *ctr,
165 const unsigned char *in1, size_t in1len,
166 const unsigned char *in2, size_t in2len,
167 const unsigned char *in3, size_t in3len)
169 static unsigned char c80 = 0x80;
171 unsigned char *p = ctr->bltmp;
172 int outlen = AES_BLOCK_SIZE;
174 if (!ctr_BCC_init(ctr))
182 inlen = in1len + in2len + in3len;
183 /* Initialise L||N in temporary block */
184 *p++ = (inlen >> 24) & 0xff;
185 *p++ = (inlen >> 16) & 0xff;
186 *p++ = (inlen >> 8) & 0xff;
189 /* NB keylen is at most 32 bytes */
193 *p = (unsigned char)((ctr->keylen + 16) & 0xff);
195 if (!ctr_BCC_update(ctr, in1, in1len)
196 || !ctr_BCC_update(ctr, in2, in2len)
197 || !ctr_BCC_update(ctr, in3, in3len)
198 || !ctr_BCC_update(ctr, &c80, 1)
199 || !ctr_BCC_final(ctr))
202 if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->KX, NULL, 1))
204 /* X follows key K */
205 if (!EVP_CipherUpdate(ctr->ctx, ctr->KX, &outlen, ctr->KX + ctr->keylen,
207 || outlen != AES_BLOCK_SIZE)
209 if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 16, &outlen, ctr->KX,
211 || outlen != AES_BLOCK_SIZE)
213 if (ctr->keylen != 16)
214 if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 32, &outlen, ctr->KX + 16,
216 || outlen != AES_BLOCK_SIZE)
222 * NB the no-df Update in SP800-90A specifies a constant input length
223 * of seedlen, however other uses of this algorithm pad the input with
224 * zeroes if necessary and have up to two parameters XORed together,
225 * so we handle both cases in this function instead.
227 __owur static int ctr_update(RAND_DRBG *drbg,
228 const unsigned char *in1, size_t in1len,
229 const unsigned char *in2, size_t in2len,
230 const unsigned char *nonce, size_t noncelen)
232 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
233 int outlen = AES_BLOCK_SIZE;
235 /* correct key is already set up. */
237 if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outlen, ctr->V, AES_BLOCK_SIZE)
238 || outlen != AES_BLOCK_SIZE)
241 /* If keylen longer than 128 bits need extra encrypt */
242 if (ctr->keylen != 16) {
244 if (!EVP_CipherUpdate(ctr->ctx, ctr->K+16, &outlen, ctr->V,
246 || outlen != AES_BLOCK_SIZE)
250 if (!EVP_CipherUpdate(ctr->ctx, ctr->V, &outlen, ctr->V, AES_BLOCK_SIZE)
251 || outlen != AES_BLOCK_SIZE)
254 /* If 192 bit key part of V is on end of K */
255 if (ctr->keylen == 24) {
256 memcpy(ctr->V + 8, ctr->V, 8);
257 memcpy(ctr->V, ctr->K + 24, 8);
260 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
261 /* If no input reuse existing derived value */
262 if (in1 != NULL || nonce != NULL || in2 != NULL)
263 if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
265 /* If this a reuse input in1len != 0 */
267 ctr_XOR(ctr, ctr->KX, drbg->seedlen);
269 ctr_XOR(ctr, in1, in1len);
270 ctr_XOR(ctr, in2, in2len);
273 if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
278 __owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
279 const unsigned char *entropy, size_t entropylen,
280 const unsigned char *nonce, size_t noncelen,
281 const unsigned char *pers, size_t perslen)
283 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
288 memset(ctr->K, 0, sizeof(ctr->K));
289 memset(ctr->V, 0, sizeof(ctr->V));
290 if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
292 if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
297 __owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
298 const unsigned char *entropy, size_t entropylen,
299 const unsigned char *adin, size_t adinlen)
303 if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
308 __owur static int drbg_ctr_generate(RAND_DRBG *drbg,
309 unsigned char *out, size_t outlen,
310 const unsigned char *adin, size_t adinlen)
312 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
314 if (adin != NULL && adinlen != 0) {
315 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
317 /* This means we reuse derived value */
318 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
327 int outl = AES_BLOCK_SIZE;
331 /* Use K as temp space as it will be updated */
332 if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outl, ctr->V,
334 || outl != AES_BLOCK_SIZE)
336 memcpy(out, ctr->K, outlen);
339 if (!EVP_CipherUpdate(ctr->ctx, out, &outl, ctr->V, AES_BLOCK_SIZE)
340 || outl != AES_BLOCK_SIZE)
348 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
353 static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
355 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx);
356 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
357 EVP_CIPHER_meth_free(drbg->data.ctr.cipher);
358 OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
362 static RAND_DRBG_METHOD drbg_ctr_meth = {
363 drbg_ctr_instantiate,
366 drbg_ctr_uninstantiate
369 int drbg_ctr_init(RAND_DRBG *drbg)
371 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
373 EVP_CIPHER *cipher = NULL;
375 switch (drbg->type) {
377 /* This can't happen, but silence the compiler warning. */
379 case NID_aes_128_ctr:
381 cipher = EVP_CIPHER_fetch(drbg->libctx, "AES-128-ECB", "");
383 case NID_aes_192_ctr:
385 cipher = EVP_CIPHER_fetch(drbg->libctx, "AES-192-ECB", "");
387 case NID_aes_256_ctr:
389 cipher = EVP_CIPHER_fetch(drbg->libctx, "AES-256-ECB", "");
395 EVP_CIPHER_meth_free(ctr->cipher);
396 ctr->cipher = cipher;
398 drbg->meth = &drbg_ctr_meth;
400 ctr->keylen = keylen;
401 if (ctr->ctx == NULL)
402 ctr->ctx = EVP_CIPHER_CTX_new();
403 if (ctr->ctx == NULL)
405 drbg->strength = keylen * 8;
406 drbg->seedlen = keylen + 16;
408 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
409 /* df initialisation */
410 static const unsigned char df_key[32] = {
411 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
412 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
413 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
414 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
417 if (ctr->ctx_df == NULL)
418 ctr->ctx_df = EVP_CIPHER_CTX_new();
419 if (ctr->ctx_df == NULL)
421 /* Set key schedule for df_key */
422 if (!EVP_CipherInit_ex(ctr->ctx_df, ctr->cipher, NULL, df_key, NULL, 1))
425 drbg->min_entropylen = ctr->keylen;
426 drbg->max_entropylen = DRBG_MAX_LENGTH;
427 drbg->min_noncelen = drbg->min_entropylen / 2;
428 drbg->max_noncelen = DRBG_MAX_LENGTH;
429 drbg->max_perslen = DRBG_MAX_LENGTH;
430 drbg->max_adinlen = DRBG_MAX_LENGTH;
433 RANDerr(RAND_F_DRBG_CTR_INIT,
434 RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS);
437 drbg->min_entropylen = drbg->seedlen;
438 drbg->max_entropylen = drbg->seedlen;
440 drbg->min_noncelen = 0;
441 drbg->max_noncelen = 0;
442 drbg->max_perslen = drbg->seedlen;
443 drbg->max_adinlen = drbg->seedlen;
447 drbg->max_request = 1 << 16;