2 * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include "crypto/modes.h"
16 #include "internal/thread_once.h"
17 #include "rand_local.h"
20 * Implementation of NIST SP 800-90A CTR DRBG.
22 static void inc_128(RAND_DRBG_CTR *ctr)
24 unsigned char *p = &ctr->V[0];
35 static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
39 if (in == NULL || inlen == 0)
43 * Any zero padding will have no effect on the result as we
44 * are XORing. So just process however much input we have.
46 n = inlen < ctr->keylen ? inlen : ctr->keylen;
47 for (i = 0; i < n; i++)
49 if (inlen <= ctr->keylen)
52 n = inlen - ctr->keylen;
54 /* Should never happen */
57 for (i = 0; i < n; i++)
58 ctr->V[i] ^= in[i + ctr->keylen];
62 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
64 __owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
65 const unsigned char *in, int len)
67 int i, outlen = AES_BLOCK_SIZE;
69 for (i = 0; i < len; i++)
72 if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, len)
80 * Handle several BCC operations for as much data as we need for K and X
82 __owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
84 unsigned char in_tmp[48];
85 unsigned char num_of_blk = 2;
87 memcpy(in_tmp, in, 16);
88 memcpy(in_tmp + 16, in, 16);
89 if (ctr->keylen != 16) {
90 memcpy(in_tmp + 32, in, 16);
93 return ctr_BCC_block(ctr, ctr->KX, in_tmp, AES_BLOCK_SIZE * num_of_blk);
97 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
100 __owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
102 unsigned char bltmp[48] = {0};
103 unsigned char num_of_blk;
105 memset(ctr->KX, 0, 48);
106 num_of_blk = ctr->keylen == 16 ? 2 : 3;
107 bltmp[(AES_BLOCK_SIZE * 1) + 3] = 1;
108 bltmp[(AES_BLOCK_SIZE * 2) + 3] = 2;
109 return ctr_BCC_block(ctr, ctr->KX, bltmp, num_of_blk * AES_BLOCK_SIZE);
113 * Process several blocks into BCC algorithm, some possibly partial
115 __owur static int ctr_BCC_update(RAND_DRBG_CTR *ctr,
116 const unsigned char *in, size_t inlen)
118 if (in == NULL || inlen == 0)
121 /* If we have partial block handle it first */
122 if (ctr->bltmp_pos) {
123 size_t left = 16 - ctr->bltmp_pos;
125 /* If we now have a complete block process it */
127 memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
128 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
136 /* Process zero or more complete blocks */
137 for (; inlen >= 16; in += 16, inlen -= 16) {
138 if (!ctr_BCC_blocks(ctr, in))
142 /* Copy any remaining partial block to the temporary buffer */
144 memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
145 ctr->bltmp_pos += inlen;
150 __owur static int ctr_BCC_final(RAND_DRBG_CTR *ctr)
152 if (ctr->bltmp_pos) {
153 memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
154 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
160 __owur static int ctr_df(RAND_DRBG_CTR *ctr,
161 const unsigned char *in1, size_t in1len,
162 const unsigned char *in2, size_t in2len,
163 const unsigned char *in3, size_t in3len)
165 static unsigned char c80 = 0x80;
167 unsigned char *p = ctr->bltmp;
168 int outlen = AES_BLOCK_SIZE;
170 if (!ctr_BCC_init(ctr))
178 inlen = in1len + in2len + in3len;
179 /* Initialise L||N in temporary block */
180 *p++ = (inlen >> 24) & 0xff;
181 *p++ = (inlen >> 16) & 0xff;
182 *p++ = (inlen >> 8) & 0xff;
185 /* NB keylen is at most 32 bytes */
189 *p = (unsigned char)((ctr->keylen + 16) & 0xff);
191 if (!ctr_BCC_update(ctr, in1, in1len)
192 || !ctr_BCC_update(ctr, in2, in2len)
193 || !ctr_BCC_update(ctr, in3, in3len)
194 || !ctr_BCC_update(ctr, &c80, 1)
195 || !ctr_BCC_final(ctr))
198 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->KX, NULL, -1))
200 /* X follows key K */
201 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX, &outlen, ctr->KX + ctr->keylen,
203 || outlen != AES_BLOCK_SIZE)
205 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 16, &outlen, ctr->KX,
207 || outlen != AES_BLOCK_SIZE)
209 if (ctr->keylen != 16)
210 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 32, &outlen,
211 ctr->KX + 16, AES_BLOCK_SIZE)
212 || outlen != AES_BLOCK_SIZE)
218 * NB the no-df Update in SP800-90A specifies a constant input length
219 * of seedlen, however other uses of this algorithm pad the input with
220 * zeroes if necessary and have up to two parameters XORed together,
221 * so we handle both cases in this function instead.
223 __owur static int ctr_update(RAND_DRBG *drbg,
224 const unsigned char *in1, size_t in1len,
225 const unsigned char *in2, size_t in2len,
226 const unsigned char *nonce, size_t noncelen)
228 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
229 int outlen = AES_BLOCK_SIZE;
230 unsigned char V_tmp[48], out[48];
233 /* correct key is already set up. */
234 memcpy(V_tmp, ctr->V, 16);
236 memcpy(V_tmp + 16, ctr->V, 16);
237 if (ctr->keylen == 16) {
241 memcpy(V_tmp + 32, ctr->V, 16);
244 if (!EVP_CipherUpdate(ctr->ctx_ecb, out, &outlen, V_tmp, len)
247 memcpy(ctr->K, out, ctr->keylen);
248 memcpy(ctr->V, out + ctr->keylen, 16);
250 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
251 /* If no input reuse existing derived value */
252 if (in1 != NULL || nonce != NULL || in2 != NULL)
253 if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
255 /* If this a reuse input in1len != 0 */
257 ctr_XOR(ctr, ctr->KX, drbg->seedlen);
259 ctr_XOR(ctr, in1, in1len);
260 ctr_XOR(ctr, in2, in2len);
263 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1)
264 || !EVP_CipherInit_ex(ctr->ctx_ctr, NULL, NULL, ctr->K, NULL, -1))
269 __owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
270 const unsigned char *entropy, size_t entropylen,
271 const unsigned char *nonce, size_t noncelen,
272 const unsigned char *pers, size_t perslen)
274 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
279 memset(ctr->K, 0, sizeof(ctr->K));
280 memset(ctr->V, 0, sizeof(ctr->V));
281 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1))
285 if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
290 __owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
291 const unsigned char *entropy, size_t entropylen,
292 const unsigned char *adin, size_t adinlen)
294 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
300 if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
305 static void ctr96_inc(unsigned char *counter)
317 __owur static int drbg_ctr_generate(RAND_DRBG *drbg,
318 unsigned char *out, size_t outlen,
319 const unsigned char *adin, size_t adinlen)
321 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
322 unsigned int ctr32, blocks;
325 if (adin != NULL && adinlen != 0) {
328 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
330 /* This means we reuse derived value */
331 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
344 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
349 memset(out, 0, outlen);
352 if (!EVP_CipherInit_ex(ctr->ctx_ctr,
353 NULL, NULL, NULL, ctr->V, -1))
357 * outlen has type size_t while EVP_CipherUpdate takes an
358 * int argument and thus cannot be guaranteed to process more
359 * than 2^31-1 bytes at a time. We process such huge generate
360 * requests in 2^30 byte chunks, which is the greatest multiple
361 * of AES block size lower than or equal to 2^31-1.
363 buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
364 blocks = (buflen + 15) / 16;
366 ctr32 = GETU32(ctr->V + 12) + blocks;
367 if (ctr32 < blocks) {
368 /* 32-bit counter overflow into V. */
371 buflen = blocks * 16;
376 PUTU32(ctr->V + 12, ctr32);
378 if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
386 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
391 static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
393 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ecb);
394 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ctr);
395 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
396 EVP_CIPHER_free(drbg->data.ctr.cipher_ecb);
397 EVP_CIPHER_free(drbg->data.ctr.cipher_ctr);
398 OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
402 static RAND_DRBG_METHOD drbg_ctr_meth = {
403 drbg_ctr_instantiate,
406 drbg_ctr_uninstantiate
409 int drbg_ctr_init(RAND_DRBG *drbg)
411 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
413 EVP_CIPHER *cipher_ecb = NULL;
414 EVP_CIPHER *cipher_ctr = NULL;
416 switch (drbg->type) {
418 /* This can't happen, but silence the compiler warning. */
420 case NID_aes_128_ctr:
422 cipher_ecb = EVP_CIPHER_fetch(drbg->libctx, "AES-128-ECB", "");
423 cipher_ctr = EVP_CIPHER_fetch(drbg->libctx, "AES-128-CTR", "");
425 case NID_aes_192_ctr:
427 cipher_ecb = EVP_CIPHER_fetch(drbg->libctx, "AES-192-ECB", "");
428 cipher_ctr = EVP_CIPHER_fetch(drbg->libctx, "AES-192-CTR", "");
430 case NID_aes_256_ctr:
432 cipher_ecb = EVP_CIPHER_fetch(drbg->libctx, "AES-256-ECB", "");
433 cipher_ctr = EVP_CIPHER_fetch(drbg->libctx, "AES-256-CTR", "");
436 if (cipher_ecb == NULL || cipher_ctr == NULL)
439 EVP_CIPHER_free(ctr->cipher_ecb);
440 ctr->cipher_ecb = cipher_ecb;
441 EVP_CIPHER_free(ctr->cipher_ctr);
442 ctr->cipher_ctr = cipher_ctr;
444 ctr->keylen = keylen;
445 if (ctr->ctx_ecb == NULL)
446 ctr->ctx_ecb = EVP_CIPHER_CTX_new();
447 if (ctr->ctx_ctr == NULL)
448 ctr->ctx_ctr = EVP_CIPHER_CTX_new();
449 if (ctr->ctx_ecb == NULL || ctr->ctx_ctr == NULL
450 || !EVP_CipherInit_ex(ctr->ctx_ecb,
451 ctr->cipher_ecb, NULL, NULL, NULL, 1)
452 || !EVP_CipherInit_ex(ctr->ctx_ctr,
453 ctr->cipher_ctr, NULL, NULL, NULL, 1))
456 drbg->meth = &drbg_ctr_meth;
457 drbg->strength = keylen * 8;
458 drbg->seedlen = keylen + 16;
460 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
461 /* df initialisation */
462 static const unsigned char df_key[32] = {
463 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
464 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
465 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
466 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
469 if (ctr->ctx_df == NULL)
470 ctr->ctx_df = EVP_CIPHER_CTX_new();
471 if (ctr->ctx_df == NULL)
473 /* Set key schedule for df_key */
474 if (!EVP_CipherInit_ex(ctr->ctx_df,
475 ctr->cipher_ecb, NULL, df_key, NULL, 1))
478 drbg->min_entropylen = ctr->keylen;
479 drbg->max_entropylen = DRBG_MAX_LENGTH;
480 drbg->min_noncelen = drbg->min_entropylen / 2;
481 drbg->max_noncelen = DRBG_MAX_LENGTH;
482 drbg->max_perslen = DRBG_MAX_LENGTH;
483 drbg->max_adinlen = DRBG_MAX_LENGTH;
486 RANDerr(RAND_F_DRBG_CTR_INIT,
487 RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS);
490 drbg->min_entropylen = drbg->seedlen;
491 drbg->max_entropylen = drbg->seedlen;
493 drbg->min_noncelen = 0;
494 drbg->max_noncelen = 0;
495 drbg->max_perslen = drbg->seedlen;
496 drbg->max_adinlen = drbg->seedlen;
500 drbg->max_request = 1 << 16;