2 * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include <openssl/aes.h>
16 #include <openssl/proverr.h>
17 #include "crypto/modes.h"
18 #include "internal/thread_once.h"
19 #include "prov/implementations.h"
20 #include "prov/providercommon.h"
21 #include "prov/provider_ctx.h"
22 #include "drbg_local.h"
24 static OSSL_FUNC_rand_newctx_fn drbg_ctr_new_wrapper;
25 static OSSL_FUNC_rand_freectx_fn drbg_ctr_free;
26 static OSSL_FUNC_rand_instantiate_fn drbg_ctr_instantiate_wrapper;
27 static OSSL_FUNC_rand_uninstantiate_fn drbg_ctr_uninstantiate_wrapper;
28 static OSSL_FUNC_rand_generate_fn drbg_ctr_generate_wrapper;
29 static OSSL_FUNC_rand_reseed_fn drbg_ctr_reseed_wrapper;
30 static OSSL_FUNC_rand_settable_ctx_params_fn drbg_ctr_settable_ctx_params;
31 static OSSL_FUNC_rand_set_ctx_params_fn drbg_ctr_set_ctx_params;
32 static OSSL_FUNC_rand_gettable_ctx_params_fn drbg_ctr_gettable_ctx_params;
33 static OSSL_FUNC_rand_get_ctx_params_fn drbg_ctr_get_ctx_params;
34 static OSSL_FUNC_rand_verify_zeroization_fn drbg_ctr_verify_zeroization;
36 static int drbg_ctr_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[]);
39 * The state of a DRBG AES-CTR.
41 typedef struct rand_drbg_ctr_st {
42 EVP_CIPHER_CTX *ctx_ecb;
43 EVP_CIPHER_CTX *ctx_ctr;
44 EVP_CIPHER_CTX *ctx_df;
45 EVP_CIPHER *cipher_ecb;
46 EVP_CIPHER *cipher_ctr;
51 /* Temporary block storage used by ctr_df */
52 unsigned char bltmp[16];
58 * Implementation of NIST SP 800-90A CTR DRBG.
60 static void inc_128(PROV_DRBG_CTR *ctr)
62 unsigned char *p = &ctr->V[0];
73 static void ctr_XOR(PROV_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
77 if (in == NULL || inlen == 0)
81 * Any zero padding will have no effect on the result as we
82 * are XORing. So just process however much input we have.
84 n = inlen < ctr->keylen ? inlen : ctr->keylen;
85 for (i = 0; i < n; i++)
87 if (inlen <= ctr->keylen)
90 n = inlen - ctr->keylen;
92 /* Should never happen */
95 for (i = 0; i < n; i++)
96 ctr->V[i] ^= in[i + ctr->keylen];
100 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
102 __owur static int ctr_BCC_block(PROV_DRBG_CTR *ctr, unsigned char *out,
103 const unsigned char *in, int len)
105 int i, outlen = AES_BLOCK_SIZE;
107 for (i = 0; i < len; i++)
110 if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, len)
118 * Handle several BCC operations for as much data as we need for K and X
120 __owur static int ctr_BCC_blocks(PROV_DRBG_CTR *ctr, const unsigned char *in)
122 unsigned char in_tmp[48];
123 unsigned char num_of_blk = 2;
125 memcpy(in_tmp, in, 16);
126 memcpy(in_tmp + 16, in, 16);
127 if (ctr->keylen != 16) {
128 memcpy(in_tmp + 32, in, 16);
131 return ctr_BCC_block(ctr, ctr->KX, in_tmp, AES_BLOCK_SIZE * num_of_blk);
135 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
136 * see 10.3.1 stage 7.
138 __owur static int ctr_BCC_init(PROV_DRBG_CTR *ctr)
140 unsigned char bltmp[48] = {0};
141 unsigned char num_of_blk;
143 memset(ctr->KX, 0, 48);
144 num_of_blk = ctr->keylen == 16 ? 2 : 3;
145 bltmp[(AES_BLOCK_SIZE * 1) + 3] = 1;
146 bltmp[(AES_BLOCK_SIZE * 2) + 3] = 2;
147 return ctr_BCC_block(ctr, ctr->KX, bltmp, num_of_blk * AES_BLOCK_SIZE);
151 * Process several blocks into BCC algorithm, some possibly partial
153 __owur static int ctr_BCC_update(PROV_DRBG_CTR *ctr,
154 const unsigned char *in, size_t inlen)
156 if (in == NULL || inlen == 0)
159 /* If we have partial block handle it first */
160 if (ctr->bltmp_pos) {
161 size_t left = 16 - ctr->bltmp_pos;
163 /* If we now have a complete block process it */
165 memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
166 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
174 /* Process zero or more complete blocks */
175 for (; inlen >= 16; in += 16, inlen -= 16) {
176 if (!ctr_BCC_blocks(ctr, in))
180 /* Copy any remaining partial block to the temporary buffer */
182 memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
183 ctr->bltmp_pos += inlen;
188 __owur static int ctr_BCC_final(PROV_DRBG_CTR *ctr)
190 if (ctr->bltmp_pos) {
191 memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
192 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
198 __owur static int ctr_df(PROV_DRBG_CTR *ctr,
199 const unsigned char *in1, size_t in1len,
200 const unsigned char *in2, size_t in2len,
201 const unsigned char *in3, size_t in3len)
203 static unsigned char c80 = 0x80;
205 unsigned char *p = ctr->bltmp;
206 int outlen = AES_BLOCK_SIZE;
208 if (!ctr_BCC_init(ctr))
216 inlen = in1len + in2len + in3len;
217 /* Initialise L||N in temporary block */
218 *p++ = (inlen >> 24) & 0xff;
219 *p++ = (inlen >> 16) & 0xff;
220 *p++ = (inlen >> 8) & 0xff;
223 /* NB keylen is at most 32 bytes */
227 *p = (unsigned char)((ctr->keylen + 16) & 0xff);
229 if (!ctr_BCC_update(ctr, in1, in1len)
230 || !ctr_BCC_update(ctr, in2, in2len)
231 || !ctr_BCC_update(ctr, in3, in3len)
232 || !ctr_BCC_update(ctr, &c80, 1)
233 || !ctr_BCC_final(ctr))
236 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->KX, NULL, -1))
238 /* X follows key K */
239 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX, &outlen, ctr->KX + ctr->keylen,
241 || outlen != AES_BLOCK_SIZE)
243 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 16, &outlen, ctr->KX,
245 || outlen != AES_BLOCK_SIZE)
247 if (ctr->keylen != 16)
248 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 32, &outlen,
249 ctr->KX + 16, AES_BLOCK_SIZE)
250 || outlen != AES_BLOCK_SIZE)
256 * NB the no-df Update in SP800-90A specifies a constant input length
257 * of seedlen, however other uses of this algorithm pad the input with
258 * zeroes if necessary and have up to two parameters XORed together,
259 * so we handle both cases in this function instead.
261 __owur static int ctr_update(PROV_DRBG *drbg,
262 const unsigned char *in1, size_t in1len,
263 const unsigned char *in2, size_t in2len,
264 const unsigned char *nonce, size_t noncelen)
266 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
267 int outlen = AES_BLOCK_SIZE;
268 unsigned char V_tmp[48], out[48];
271 /* correct key is already set up. */
272 memcpy(V_tmp, ctr->V, 16);
274 memcpy(V_tmp + 16, ctr->V, 16);
275 if (ctr->keylen == 16) {
279 memcpy(V_tmp + 32, ctr->V, 16);
282 if (!EVP_CipherUpdate(ctr->ctx_ecb, out, &outlen, V_tmp, len)
285 memcpy(ctr->K, out, ctr->keylen);
286 memcpy(ctr->V, out + ctr->keylen, 16);
289 /* If no input reuse existing derived value */
290 if (in1 != NULL || nonce != NULL || in2 != NULL)
291 if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
293 /* If this a reuse input in1len != 0 */
295 ctr_XOR(ctr, ctr->KX, drbg->seedlen);
297 ctr_XOR(ctr, in1, in1len);
298 ctr_XOR(ctr, in2, in2len);
301 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1)
302 || !EVP_CipherInit_ex(ctr->ctx_ctr, NULL, NULL, ctr->K, NULL, -1))
307 static int drbg_ctr_instantiate(PROV_DRBG *drbg,
308 const unsigned char *entropy, size_t entropylen,
309 const unsigned char *nonce, size_t noncelen,
310 const unsigned char *pers, size_t perslen)
312 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
317 memset(ctr->K, 0, sizeof(ctr->K));
318 memset(ctr->V, 0, sizeof(ctr->V));
319 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1))
323 if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
328 static int drbg_ctr_instantiate_wrapper(void *vdrbg, unsigned int strength,
329 int prediction_resistance,
330 const unsigned char *pstr,
332 const OSSL_PARAM params[])
334 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
337 if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
340 if (!ossl_prov_is_running()
341 || !drbg_ctr_set_ctx_params_locked(drbg, params))
343 ret = ossl_prov_drbg_instantiate(drbg, strength, prediction_resistance,
346 if (drbg->lock != NULL)
347 CRYPTO_THREAD_unlock(drbg->lock);
351 static int drbg_ctr_reseed(PROV_DRBG *drbg,
352 const unsigned char *entropy, size_t entropylen,
353 const unsigned char *adin, size_t adinlen)
355 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
361 if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
366 static int drbg_ctr_reseed_wrapper(void *vdrbg, int prediction_resistance,
367 const unsigned char *ent, size_t ent_len,
368 const unsigned char *adin, size_t adin_len)
370 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
372 return ossl_prov_drbg_reseed(drbg, prediction_resistance, ent, ent_len,
376 static void ctr96_inc(unsigned char *counter)
388 static int drbg_ctr_generate(PROV_DRBG *drbg,
389 unsigned char *out, size_t outlen,
390 const unsigned char *adin, size_t adinlen)
392 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
393 unsigned int ctr32, blocks;
396 if (adin != NULL && adinlen != 0) {
399 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
401 /* This means we reuse derived value */
415 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
420 memset(out, 0, outlen);
423 if (!EVP_CipherInit_ex(ctr->ctx_ctr,
424 NULL, NULL, NULL, ctr->V, -1))
428 * outlen has type size_t while EVP_CipherUpdate takes an
429 * int argument and thus cannot be guaranteed to process more
430 * than 2^31-1 bytes at a time. We process such huge generate
431 * requests in 2^30 byte chunks, which is the greatest multiple
432 * of AES block size lower than or equal to 2^31-1.
434 buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
435 blocks = (buflen + 15) / 16;
437 ctr32 = GETU32(ctr->V + 12) + blocks;
438 if (ctr32 < blocks) {
439 /* 32-bit counter overflow into V. */
442 buflen = blocks * 16;
447 PUTU32(ctr->V + 12, ctr32);
449 if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
457 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
462 static int drbg_ctr_generate_wrapper
463 (void *vdrbg, unsigned char *out, size_t outlen,
464 unsigned int strength, int prediction_resistance,
465 const unsigned char *adin, size_t adin_len)
467 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
469 return ossl_prov_drbg_generate(drbg, out, outlen, strength,
470 prediction_resistance, adin, adin_len);
473 static int drbg_ctr_uninstantiate(PROV_DRBG *drbg)
475 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
477 OPENSSL_cleanse(ctr->K, sizeof(ctr->K));
478 OPENSSL_cleanse(ctr->V, sizeof(ctr->V));
479 OPENSSL_cleanse(ctr->bltmp, sizeof(ctr->bltmp));
480 OPENSSL_cleanse(ctr->KX, sizeof(ctr->KX));
482 return ossl_prov_drbg_uninstantiate(drbg);
485 static int drbg_ctr_uninstantiate_wrapper(void *vdrbg)
487 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
490 if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
493 ret = drbg_ctr_uninstantiate(drbg);
495 if (drbg->lock != NULL)
496 CRYPTO_THREAD_unlock(drbg->lock);
501 static int drbg_ctr_verify_zeroization(void *vdrbg)
503 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
504 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
507 if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock))
510 PROV_DRBG_VERIFY_ZEROIZATION(ctr->K);
511 PROV_DRBG_VERIFY_ZEROIZATION(ctr->V);
512 PROV_DRBG_VERIFY_ZEROIZATION(ctr->bltmp);
513 PROV_DRBG_VERIFY_ZEROIZATION(ctr->KX);
514 if (ctr->bltmp_pos != 0)
519 if (drbg->lock != NULL)
520 CRYPTO_THREAD_unlock(drbg->lock);
524 static int drbg_ctr_init_lengths(PROV_DRBG *drbg)
526 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
529 /* Maximum number of bits per request = 2^19 = 2^16 bytes */
530 drbg->max_request = 1 << 16;
532 drbg->min_entropylen = 0;
533 drbg->max_entropylen = DRBG_MAX_LENGTH;
534 drbg->min_noncelen = 0;
535 drbg->max_noncelen = DRBG_MAX_LENGTH;
536 drbg->max_perslen = DRBG_MAX_LENGTH;
537 drbg->max_adinlen = DRBG_MAX_LENGTH;
539 if (ctr->keylen > 0) {
540 drbg->min_entropylen = ctr->keylen;
541 drbg->min_noncelen = drbg->min_entropylen / 2;
544 const size_t len = ctr->keylen > 0 ? drbg->seedlen : DRBG_MAX_LENGTH;
546 drbg->min_entropylen = len;
547 drbg->max_entropylen = len;
549 drbg->min_noncelen = 0;
550 drbg->max_noncelen = 0;
551 drbg->max_perslen = len;
552 drbg->max_adinlen = len;
557 static int drbg_ctr_init(PROV_DRBG *drbg)
559 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
562 if (ctr->cipher_ctr == NULL) {
563 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CIPHER);
566 ctr->keylen = keylen = EVP_CIPHER_get_key_length(ctr->cipher_ctr);
567 if (ctr->ctx_ecb == NULL)
568 ctr->ctx_ecb = EVP_CIPHER_CTX_new();
569 if (ctr->ctx_ctr == NULL)
570 ctr->ctx_ctr = EVP_CIPHER_CTX_new();
571 if (ctr->ctx_ecb == NULL || ctr->ctx_ctr == NULL) {
572 ERR_raise(ERR_LIB_PROV, ERR_R_EVP_LIB);
576 if (!EVP_CipherInit_ex(ctr->ctx_ecb,
577 ctr->cipher_ecb, NULL, NULL, NULL, 1)
578 || !EVP_CipherInit_ex(ctr->ctx_ctr,
579 ctr->cipher_ctr, NULL, NULL, NULL, 1)) {
580 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_INITIALISE_CIPHERS);
584 drbg->strength = keylen * 8;
585 drbg->seedlen = keylen + 16;
588 /* df initialisation */
589 static const unsigned char df_key[32] = {
590 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
591 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
592 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
593 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
596 if (ctr->ctx_df == NULL)
597 ctr->ctx_df = EVP_CIPHER_CTX_new();
598 if (ctr->ctx_df == NULL) {
599 ERR_raise(ERR_LIB_PROV, ERR_R_EVP_LIB);
602 /* Set key schedule for df_key */
603 if (!EVP_CipherInit_ex(ctr->ctx_df,
604 ctr->cipher_ecb, NULL, df_key, NULL, 1)) {
605 ERR_raise(ERR_LIB_PROV, PROV_R_DERIVATION_FUNCTION_INIT_FAILED);
609 return drbg_ctr_init_lengths(drbg);
612 EVP_CIPHER_CTX_free(ctr->ctx_ecb);
613 EVP_CIPHER_CTX_free(ctr->ctx_ctr);
614 ctr->ctx_ecb = ctr->ctx_ctr = NULL;
618 static int drbg_ctr_new(PROV_DRBG *drbg)
622 ctr = OPENSSL_secure_zalloc(sizeof(*ctr));
628 return drbg_ctr_init_lengths(drbg);
631 static void *drbg_ctr_new_wrapper(void *provctx, void *parent,
632 const OSSL_DISPATCH *parent_dispatch)
634 return ossl_rand_drbg_new(provctx, parent, parent_dispatch,
635 &drbg_ctr_new, &drbg_ctr_free,
636 &drbg_ctr_instantiate, &drbg_ctr_uninstantiate,
637 &drbg_ctr_reseed, &drbg_ctr_generate);
640 static void drbg_ctr_free(void *vdrbg)
642 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
645 if (drbg != NULL && (ctr = (PROV_DRBG_CTR *)drbg->data) != NULL) {
646 EVP_CIPHER_CTX_free(ctr->ctx_ecb);
647 EVP_CIPHER_CTX_free(ctr->ctx_ctr);
648 EVP_CIPHER_CTX_free(ctr->ctx_df);
649 EVP_CIPHER_free(ctr->cipher_ecb);
650 EVP_CIPHER_free(ctr->cipher_ctr);
652 OPENSSL_secure_clear_free(ctr, sizeof(*ctr));
654 ossl_rand_drbg_free(drbg);
657 static int drbg_ctr_get_ctx_params(void *vdrbg, OSSL_PARAM params[])
659 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
660 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
662 int ret = 0, complete = 0;
664 if (!ossl_drbg_get_ctx_params_no_lock(drbg, params, &complete))
670 if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock))
673 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_USE_DF);
674 if (p != NULL && !OSSL_PARAM_set_int(p, ctr->use_df))
677 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_CIPHER);
679 if (ctr->cipher_ctr == NULL
680 || !OSSL_PARAM_set_utf8_string(p,
681 EVP_CIPHER_get0_name(ctr->cipher_ctr)))
685 ret = ossl_drbg_get_ctx_params(drbg, params);
687 if (drbg->lock != NULL)
688 CRYPTO_THREAD_unlock(drbg->lock);
693 static const OSSL_PARAM *drbg_ctr_gettable_ctx_params(ossl_unused void *vctx,
694 ossl_unused void *provctx)
696 static const OSSL_PARAM known_gettable_ctx_params[] = {
697 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0),
698 OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL),
699 OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON,
702 return known_gettable_ctx_params;
705 static int drbg_ctr_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[])
707 PROV_DRBG *ctx = (PROV_DRBG *)vctx;
708 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)ctx->data;
709 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
712 const char *propquery = NULL;
713 int i, cipher_init = 0;
715 if ((p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_USE_DF)) != NULL
716 && OSSL_PARAM_get_int(p, &i)) {
717 /* FIPS errors out in the drbg_ctr_init() call later */
718 ctr->use_df = i != 0;
722 if ((p = OSSL_PARAM_locate_const(params,
723 OSSL_DRBG_PARAM_PROPERTIES)) != NULL) {
724 if (p->data_type != OSSL_PARAM_UTF8_STRING)
726 propquery = (const char *)p->data;
729 if ((p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_CIPHER)) != NULL) {
730 const char *base = (const char *)p->data;
731 size_t ctr_str_len = sizeof("CTR") - 1;
732 size_t ecb_str_len = sizeof("ECB") - 1;
734 if (p->data_type != OSSL_PARAM_UTF8_STRING
735 || p->data_size < ctr_str_len)
737 if (OPENSSL_strcasecmp("CTR", base + p->data_size - ctr_str_len) != 0) {
738 ERR_raise(ERR_LIB_PROV, PROV_R_REQUIRE_CTR_MODE_CIPHER);
741 if ((ecb = OPENSSL_strndup(base, p->data_size)) == NULL)
743 strcpy(ecb + p->data_size - ecb_str_len, "ECB");
744 EVP_CIPHER_free(ctr->cipher_ecb);
745 EVP_CIPHER_free(ctr->cipher_ctr);
746 ctr->cipher_ctr = EVP_CIPHER_fetch(libctx, base, propquery);
747 ctr->cipher_ecb = EVP_CIPHER_fetch(libctx, ecb, propquery);
749 if (ctr->cipher_ctr == NULL || ctr->cipher_ecb == NULL) {
750 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_FIND_CIPHERS);
756 if (cipher_init && !drbg_ctr_init(ctx))
759 return ossl_drbg_set_ctx_params(ctx, params);
762 static int drbg_ctr_set_ctx_params(void *vctx, const OSSL_PARAM params[])
764 PROV_DRBG *drbg = (PROV_DRBG *)vctx;
767 if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
770 ret = drbg_ctr_set_ctx_params_locked(vctx, params);
772 if (drbg->lock != NULL)
773 CRYPTO_THREAD_unlock(drbg->lock);
778 static const OSSL_PARAM *drbg_ctr_settable_ctx_params(ossl_unused void *vctx,
779 ossl_unused void *provctx)
781 static const OSSL_PARAM known_settable_ctx_params[] = {
782 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0),
783 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0),
784 OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL),
785 OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON,
788 return known_settable_ctx_params;
791 const OSSL_DISPATCH ossl_drbg_ctr_functions[] = {
792 { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))drbg_ctr_new_wrapper },
793 { OSSL_FUNC_RAND_FREECTX, (void(*)(void))drbg_ctr_free },
794 { OSSL_FUNC_RAND_INSTANTIATE,
795 (void(*)(void))drbg_ctr_instantiate_wrapper },
796 { OSSL_FUNC_RAND_UNINSTANTIATE,
797 (void(*)(void))drbg_ctr_uninstantiate_wrapper },
798 { OSSL_FUNC_RAND_GENERATE, (void(*)(void))drbg_ctr_generate_wrapper },
799 { OSSL_FUNC_RAND_RESEED, (void(*)(void))drbg_ctr_reseed_wrapper },
800 { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))ossl_drbg_enable_locking },
801 { OSSL_FUNC_RAND_LOCK, (void(*)(void))ossl_drbg_lock },
802 { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))ossl_drbg_unlock },
803 { OSSL_FUNC_RAND_SETTABLE_CTX_PARAMS,
804 (void(*)(void))drbg_ctr_settable_ctx_params },
805 { OSSL_FUNC_RAND_SET_CTX_PARAMS, (void(*)(void))drbg_ctr_set_ctx_params },
806 { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
807 (void(*)(void))drbg_ctr_gettable_ctx_params },
808 { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))drbg_ctr_get_ctx_params },
809 { OSSL_FUNC_RAND_VERIFY_ZEROIZATION,
810 (void(*)(void))drbg_ctr_verify_zeroization },
811 { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))ossl_drbg_get_seed },
812 { OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))ossl_drbg_clear_seed },