2 * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
16 #include "internal/thread_once.h"
19 * Mapping of NIST SP 800-90A DRBG to OpenSSL RAND_METHOD.
24 * The default global DRBG and its auto-init/auto-cleanup.
26 static DRBG_CTX ossl_drbg;
28 static CRYPTO_ONCE ossl_drbg_init = CRYPTO_ONCE_STATIC_INIT;
30 DEFINE_RUN_ONCE_STATIC(do_ossl_drbg_init)
32 ossl_drbg.lock = CRYPTO_THREAD_lock_new();
33 return ossl_drbg.lock != NULL;
36 void rand_drbg_cleanup(void)
38 CRYPTO_THREAD_lock_free(ossl_drbg.lock);
41 static void inc_128(DRBG_CTR_CTX *cctx)
45 unsigned char *p = &cctx->V[15];
47 for (i = 0; i < 16; i++, p--) {
52 /* If we didn't wrap around, we're done. */
58 static void ctr_XOR(DRBG_CTR_CTX *cctx, const unsigned char *in, size_t inlen)
62 if (in == NULL || inlen == 0)
66 * Any zero padding will have no effect on the result as we
67 * are XORing. So just process however much input we have.
69 n = inlen < cctx->keylen ? inlen : cctx->keylen;
70 for (i = 0; i < n; i++)
72 if (inlen <= cctx->keylen)
75 n = inlen - cctx->keylen;
77 /* Should never happen */
80 for (i = 0; i < 16; i++)
81 cctx->V[i] ^= in[i + cctx->keylen];
85 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
87 static void ctr_BCC_block(DRBG_CTR_CTX *cctx, unsigned char *out,
88 const unsigned char *in)
92 for (i = 0; i < 16; i++)
94 AES_encrypt(out, out, &cctx->df_ks);
99 * Handle several BCC operations for as much data as we need for K and X
101 static void ctr_BCC_blocks(DRBG_CTR_CTX *cctx, const unsigned char *in)
103 ctr_BCC_block(cctx, cctx->KX, in);
104 ctr_BCC_block(cctx, cctx->KX + 16, in);
105 if (cctx->keylen != 16)
106 ctr_BCC_block(cctx, cctx->KX + 32, in);
110 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
111 * see 10.3.1 stage 7.
113 static void ctr_BCC_init(DRBG_CTR_CTX *cctx)
115 memset(cctx->KX, 0, 48);
116 memset(cctx->bltmp, 0, 16);
117 ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
119 ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
120 if (cctx->keylen != 16) {
122 ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
127 * Process several blocks into BCC algorithm, some possibly partial
129 static void ctr_BCC_update(DRBG_CTR_CTX *cctx,
130 const unsigned char *in, size_t inlen)
132 if (in == NULL || inlen == 0)
135 /* If we have partial block handle it first */
136 if (cctx->bltmp_pos) {
137 size_t left = 16 - cctx->bltmp_pos;
139 /* If we now have a complete block process it */
141 memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
142 ctr_BCC_blocks(cctx, cctx->bltmp);
149 /* Process zero or more complete blocks */
150 for (; inlen >= 16; in += 16, inlen -= 16) {
151 ctr_BCC_blocks(cctx, in);
154 /* Copy any remaining partial block to the temporary buffer */
156 memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
157 cctx->bltmp_pos += inlen;
161 static void ctr_BCC_final(DRBG_CTR_CTX *cctx)
163 if (cctx->bltmp_pos) {
164 memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
165 ctr_BCC_blocks(cctx, cctx->bltmp);
169 static void ctr_df(DRBG_CTR_CTX *cctx,
170 const unsigned char *in1, size_t in1len,
171 const unsigned char *in2, size_t in2len,
172 const unsigned char *in3, size_t in3len)
174 static unsigned char c80 = 0x80;
176 unsigned char *p = cctx->bltmp;
185 inlen = in1len + in2len + in3len;
186 /* Initialise L||N in temporary block */
187 *p++ = (inlen >> 24) & 0xff;
188 *p++ = (inlen >> 16) & 0xff;
189 *p++ = (inlen >> 8) & 0xff;
192 /* NB keylen is at most 32 bytes */
196 *p = (unsigned char)((cctx->keylen + 16) & 0xff);
198 ctr_BCC_update(cctx, in1, in1len);
199 ctr_BCC_update(cctx, in2, in2len);
200 ctr_BCC_update(cctx, in3, in3len);
201 ctr_BCC_update(cctx, &c80, 1);
204 AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
205 /* X follows key K */
206 AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
207 AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
208 if (cctx->keylen != 16)
209 AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
213 * NB the no-df Update in SP800-90A specifies a constant input length
214 * of seedlen, however other uses of this algorithm pad the input with
215 * zeroes if necessary and have up to two parameters XORed together,
216 * handle both cases in this function instead.
218 static void ctr_update(DRBG_CTX *dctx,
219 const unsigned char *in1, size_t in1len,
220 const unsigned char *in2, size_t in2len,
221 const unsigned char *nonce, size_t noncelen)
223 DRBG_CTR_CTX *cctx = &dctx->ctr;
225 /* ks is already setup for correct key */
227 AES_encrypt(cctx->V, cctx->K, &cctx->ks);
229 /* If keylen longer than 128 bits need extra encrypt */
230 if (cctx->keylen != 16) {
232 AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
235 AES_encrypt(cctx->V, cctx->V, &cctx->ks);
237 /* If 192 bit key part of V is on end of K */
238 if (cctx->keylen == 24) {
239 memcpy(cctx->V + 8, cctx->V, 8);
240 memcpy(cctx->V, cctx->K + 24, 8);
243 if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) {
244 /* If no input reuse existing derived value */
245 if (in1 != NULL || nonce != NULL || in2 != NULL)
246 ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
247 /* If this a reuse input in1len != 0 */
249 ctr_XOR(cctx, cctx->KX, dctx->seedlen);
251 ctr_XOR(cctx, in1, in1len);
252 ctr_XOR(cctx, in2, in2len);
255 AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
258 int ctr_instantiate(DRBG_CTX *dctx,
259 const unsigned char *ent, size_t entlen,
260 const unsigned char *nonce, size_t noncelen,
261 const unsigned char *pers, size_t perslen)
263 DRBG_CTR_CTX *cctx = &dctx->ctr;
265 memset(cctx->K, 0, sizeof(cctx->K));
266 memset(cctx->V, 0, sizeof(cctx->V));
267 AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
268 ctr_update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
272 int ctr_reseed(DRBG_CTX *dctx,
273 const unsigned char *ent, size_t entlen,
274 const unsigned char *adin, size_t adinlen)
276 ctr_update(dctx, ent, entlen, adin, adinlen, NULL, 0);
280 int ctr_generate(DRBG_CTX *dctx,
281 unsigned char *out, size_t outlen,
282 const unsigned char *adin, size_t adinlen)
284 DRBG_CTR_CTX *cctx = &dctx->ctr;
286 if (adin != NULL && adinlen != 0) {
287 ctr_update(dctx, adin, adinlen, NULL, 0, NULL, 0);
288 /* This means we reuse derived value */
289 if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) {
300 /* Use K as temp space as it will be updated */
301 AES_encrypt(cctx->V, cctx->K, &cctx->ks);
302 memcpy(out, cctx->K, outlen);
305 AES_encrypt(cctx->V, out, &cctx->ks);
312 ctr_update(dctx, adin, adinlen, NULL, 0, NULL, 0);
316 int ctr_uninstantiate(DRBG_CTX *dctx)
318 memset(&dctx->ctr, 0, sizeof(dctx->ctr));
322 int ctr_init(DRBG_CTX *dctx)
324 DRBG_CTR_CTX *cctx = &dctx->ctr;
329 /* This can't happen, but silence the compiler warning. */
331 case NID_aes_128_ctr:
334 case NID_aes_192_ctr:
337 case NID_aes_256_ctr:
342 cctx->keylen = keylen;
343 dctx->strength = keylen * 8;
344 dctx->blocklength = 16;
345 dctx->seedlen = keylen + 16;
347 if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) {
348 /* df initialisation */
349 static unsigned char df_key[32] = {
350 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
351 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
352 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
353 0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
355 /* Set key schedule for df_key */
356 AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
358 dctx->min_entropy = cctx->keylen;
359 dctx->max_entropy = DRBG_MAX_LENGTH;
360 dctx->min_nonce = dctx->min_entropy / 2;
361 dctx->max_nonce = DRBG_MAX_LENGTH;
362 dctx->max_pers = DRBG_MAX_LENGTH;
363 dctx->max_adin = DRBG_MAX_LENGTH;
365 dctx->min_entropy = dctx->seedlen;
366 dctx->max_entropy = dctx->seedlen;
370 dctx->max_pers = dctx->seedlen;
371 dctx->max_adin = dctx->seedlen;
374 dctx->max_request = 1 << 16;
375 dctx->reseed_interval = MAX_RESEED;
381 * The following function tie the DRBG code into the RAND_METHOD
384 DRBG_CTX *RAND_DRBG_get_default(void)
386 if (!RUN_ONCE(&ossl_drbg_init, do_ossl_drbg_init))
391 static int drbg_bytes(unsigned char *out, int count)
393 DRBG_CTX *dctx = RAND_DRBG_get_default();
396 CRYPTO_THREAD_write_lock(dctx->lock);
400 if (count > (int)dctx->max_request)
401 rcnt = dctx->max_request;
404 ret = RAND_DRBG_generate(dctx, out, rcnt, 0, NULL, 0);
412 CRYPTO_THREAD_unlock(dctx->lock);
416 static int drbg_status(void)
418 DRBG_CTX *dctx = RAND_DRBG_get_default();
421 CRYPTO_THREAD_write_lock(dctx->lock);
422 ret = dctx->status == DRBG_STATUS_READY ? 1 : 0;
423 CRYPTO_THREAD_unlock(dctx->lock);
427 static void drbg_cleanup(void)
429 DRBG_CTX *dctx = RAND_DRBG_get_default();
431 CRYPTO_THREAD_write_lock(dctx->lock);
432 RAND_DRBG_uninstantiate(dctx);
433 CRYPTO_THREAD_unlock(dctx->lock);
436 static const RAND_METHOD rand_drbg_meth =
446 const RAND_METHOD *RAND_drbg(void)
448 return &rand_drbg_meth;