2 * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include <openssl/aes.h>
16 #include "e_os.h" /* strcasecmp */
17 #include "crypto/modes.h"
18 #include "internal/thread_once.h"
19 #include "prov/implementations.h"
20 #include "prov/provider_ctx.h"
21 #include "prov/providercommonerr.h"
22 #include "drbg_local.h"
24 static OSSL_FUNC_rand_newctx_fn drbg_ctr_new_wrapper;
25 static OSSL_FUNC_rand_freectx_fn drbg_ctr_free;
26 static OSSL_FUNC_rand_instantiate_fn drbg_ctr_instantiate_wrapper;
27 static OSSL_FUNC_rand_uninstantiate_fn drbg_ctr_uninstantiate_wrapper;
28 static OSSL_FUNC_rand_generate_fn drbg_ctr_generate_wrapper;
29 static OSSL_FUNC_rand_reseed_fn drbg_ctr_reseed_wrapper;
30 static OSSL_FUNC_rand_settable_ctx_params_fn drbg_ctr_settable_ctx_params;
31 static OSSL_FUNC_rand_set_ctx_params_fn drbg_ctr_set_ctx_params;
32 static OSSL_FUNC_rand_gettable_ctx_params_fn drbg_ctr_gettable_ctx_params;
33 static OSSL_FUNC_rand_get_ctx_params_fn drbg_ctr_get_ctx_params;
34 static OSSL_FUNC_rand_verify_zeroization_fn drbg_ctr_verify_zeroization;
37 * The state of a DRBG AES-CTR.
39 typedef struct rand_drbg_ctr_st {
40 EVP_CIPHER_CTX *ctx_ecb;
41 EVP_CIPHER_CTX *ctx_ctr;
42 EVP_CIPHER_CTX *ctx_df;
43 EVP_CIPHER *cipher_ecb;
44 EVP_CIPHER *cipher_ctr;
49 /* Temporary block storage used by ctr_df */
50 unsigned char bltmp[16];
56 * Implementation of NIST SP 800-90A CTR DRBG.
58 static void inc_128(PROV_DRBG_CTR *ctr)
60 unsigned char *p = &ctr->V[0];
71 static void ctr_XOR(PROV_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
75 if (in == NULL || inlen == 0)
79 * Any zero padding will have no effect on the result as we
80 * are XORing. So just process however much input we have.
82 n = inlen < ctr->keylen ? inlen : ctr->keylen;
83 for (i = 0; i < n; i++)
85 if (inlen <= ctr->keylen)
88 n = inlen - ctr->keylen;
90 /* Should never happen */
93 for (i = 0; i < n; i++)
94 ctr->V[i] ^= in[i + ctr->keylen];
98 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
100 __owur static int ctr_BCC_block(PROV_DRBG_CTR *ctr, unsigned char *out,
101 const unsigned char *in, int len)
103 int i, outlen = AES_BLOCK_SIZE;
105 for (i = 0; i < len; i++)
108 if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, len)
116 * Handle several BCC operations for as much data as we need for K and X
118 __owur static int ctr_BCC_blocks(PROV_DRBG_CTR *ctr, const unsigned char *in)
120 unsigned char in_tmp[48];
121 unsigned char num_of_blk = 2;
123 memcpy(in_tmp, in, 16);
124 memcpy(in_tmp + 16, in, 16);
125 if (ctr->keylen != 16) {
126 memcpy(in_tmp + 32, in, 16);
129 return ctr_BCC_block(ctr, ctr->KX, in_tmp, AES_BLOCK_SIZE * num_of_blk);
133 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
134 * see 10.3.1 stage 7.
136 __owur static int ctr_BCC_init(PROV_DRBG_CTR *ctr)
138 unsigned char bltmp[48] = {0};
139 unsigned char num_of_blk;
141 memset(ctr->KX, 0, 48);
142 num_of_blk = ctr->keylen == 16 ? 2 : 3;
143 bltmp[(AES_BLOCK_SIZE * 1) + 3] = 1;
144 bltmp[(AES_BLOCK_SIZE * 2) + 3] = 2;
145 return ctr_BCC_block(ctr, ctr->KX, bltmp, num_of_blk * AES_BLOCK_SIZE);
149 * Process several blocks into BCC algorithm, some possibly partial
151 __owur static int ctr_BCC_update(PROV_DRBG_CTR *ctr,
152 const unsigned char *in, size_t inlen)
154 if (in == NULL || inlen == 0)
157 /* If we have partial block handle it first */
158 if (ctr->bltmp_pos) {
159 size_t left = 16 - ctr->bltmp_pos;
161 /* If we now have a complete block process it */
163 memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
164 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
172 /* Process zero or more complete blocks */
173 for (; inlen >= 16; in += 16, inlen -= 16) {
174 if (!ctr_BCC_blocks(ctr, in))
178 /* Copy any remaining partial block to the temporary buffer */
180 memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
181 ctr->bltmp_pos += inlen;
186 __owur static int ctr_BCC_final(PROV_DRBG_CTR *ctr)
188 if (ctr->bltmp_pos) {
189 memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
190 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
196 __owur static int ctr_df(PROV_DRBG_CTR *ctr,
197 const unsigned char *in1, size_t in1len,
198 const unsigned char *in2, size_t in2len,
199 const unsigned char *in3, size_t in3len)
201 static unsigned char c80 = 0x80;
203 unsigned char *p = ctr->bltmp;
204 int outlen = AES_BLOCK_SIZE;
206 if (!ctr_BCC_init(ctr))
214 inlen = in1len + in2len + in3len;
215 /* Initialise L||N in temporary block */
216 *p++ = (inlen >> 24) & 0xff;
217 *p++ = (inlen >> 16) & 0xff;
218 *p++ = (inlen >> 8) & 0xff;
221 /* NB keylen is at most 32 bytes */
225 *p = (unsigned char)((ctr->keylen + 16) & 0xff);
227 if (!ctr_BCC_update(ctr, in1, in1len)
228 || !ctr_BCC_update(ctr, in2, in2len)
229 || !ctr_BCC_update(ctr, in3, in3len)
230 || !ctr_BCC_update(ctr, &c80, 1)
231 || !ctr_BCC_final(ctr))
234 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->KX, NULL, -1))
236 /* X follows key K */
237 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX, &outlen, ctr->KX + ctr->keylen,
239 || outlen != AES_BLOCK_SIZE)
241 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 16, &outlen, ctr->KX,
243 || outlen != AES_BLOCK_SIZE)
245 if (ctr->keylen != 16)
246 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 32, &outlen,
247 ctr->KX + 16, AES_BLOCK_SIZE)
248 || outlen != AES_BLOCK_SIZE)
254 * NB the no-df Update in SP800-90A specifies a constant input length
255 * of seedlen, however other uses of this algorithm pad the input with
256 * zeroes if necessary and have up to two parameters XORed together,
257 * so we handle both cases in this function instead.
259 __owur static int ctr_update(PROV_DRBG *drbg,
260 const unsigned char *in1, size_t in1len,
261 const unsigned char *in2, size_t in2len,
262 const unsigned char *nonce, size_t noncelen)
264 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
265 int outlen = AES_BLOCK_SIZE;
266 unsigned char V_tmp[48], out[48];
269 /* correct key is already set up. */
270 memcpy(V_tmp, ctr->V, 16);
272 memcpy(V_tmp + 16, ctr->V, 16);
273 if (ctr->keylen == 16) {
277 memcpy(V_tmp + 32, ctr->V, 16);
280 if (!EVP_CipherUpdate(ctr->ctx_ecb, out, &outlen, V_tmp, len)
283 memcpy(ctr->K, out, ctr->keylen);
284 memcpy(ctr->V, out + ctr->keylen, 16);
287 /* If no input reuse existing derived value */
288 if (in1 != NULL || nonce != NULL || in2 != NULL)
289 if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
291 /* If this a reuse input in1len != 0 */
293 ctr_XOR(ctr, ctr->KX, drbg->seedlen);
295 ctr_XOR(ctr, in1, in1len);
296 ctr_XOR(ctr, in2, in2len);
299 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1)
300 || !EVP_CipherInit_ex(ctr->ctx_ctr, NULL, NULL, ctr->K, NULL, -1))
305 static int drbg_ctr_instantiate(PROV_DRBG *drbg,
306 const unsigned char *entropy, size_t entropylen,
307 const unsigned char *nonce, size_t noncelen,
308 const unsigned char *pers, size_t perslen)
310 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
315 memset(ctr->K, 0, sizeof(ctr->K));
316 memset(ctr->V, 0, sizeof(ctr->V));
317 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1))
321 if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
326 static int drbg_ctr_instantiate_wrapper(void *vdrbg, unsigned int strength,
327 int prediction_resistance,
328 const unsigned char *pstr,
331 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
333 return PROV_DRBG_instantiate(drbg, strength, prediction_resistance,
337 static int drbg_ctr_reseed(PROV_DRBG *drbg,
338 const unsigned char *entropy, size_t entropylen,
339 const unsigned char *adin, size_t adinlen)
341 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
347 if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
352 static int drbg_ctr_reseed_wrapper(void *vdrbg, int prediction_resistance,
353 const unsigned char *ent, size_t ent_len,
354 const unsigned char *adin, size_t adin_len)
356 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
358 return PROV_DRBG_reseed(drbg, prediction_resistance, ent, ent_len,
362 static void ctr96_inc(unsigned char *counter)
374 static int drbg_ctr_generate(PROV_DRBG *drbg,
375 unsigned char *out, size_t outlen,
376 const unsigned char *adin, size_t adinlen)
378 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
379 unsigned int ctr32, blocks;
382 if (adin != NULL && adinlen != 0) {
385 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
387 /* This means we reuse derived value */
401 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
406 memset(out, 0, outlen);
409 if (!EVP_CipherInit_ex(ctr->ctx_ctr,
410 NULL, NULL, NULL, ctr->V, -1))
414 * outlen has type size_t while EVP_CipherUpdate takes an
415 * int argument and thus cannot be guaranteed to process more
416 * than 2^31-1 bytes at a time. We process such huge generate
417 * requests in 2^30 byte chunks, which is the greatest multiple
418 * of AES block size lower than or equal to 2^31-1.
420 buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
421 blocks = (buflen + 15) / 16;
423 ctr32 = GETU32(ctr->V + 12) + blocks;
424 if (ctr32 < blocks) {
425 /* 32-bit counter overflow into V. */
428 buflen = blocks * 16;
433 PUTU32(ctr->V + 12, ctr32);
435 if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
443 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
448 static int drbg_ctr_generate_wrapper
449 (void *vdrbg, unsigned char *out, size_t outlen,
450 unsigned int strength, int prediction_resistance,
451 const unsigned char *adin, size_t adin_len)
453 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
455 return PROV_DRBG_generate(drbg, out, outlen, strength,
456 prediction_resistance, adin, adin_len);
459 static int drbg_ctr_uninstantiate(PROV_DRBG *drbg)
461 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
463 OPENSSL_cleanse(ctr->K, sizeof(ctr->K));
464 OPENSSL_cleanse(ctr->V, sizeof(ctr->V));
465 OPENSSL_cleanse(ctr->bltmp, sizeof(ctr->bltmp));
466 OPENSSL_cleanse(ctr->KX, sizeof(ctr->KX));
468 return PROV_DRBG_uninstantiate(drbg);
471 static int drbg_ctr_uninstantiate_wrapper(void *vdrbg)
473 return drbg_ctr_uninstantiate((PROV_DRBG *)vdrbg);
476 static int drbg_ctr_verify_zeroization(void *vdrbg)
478 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
479 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
481 PROV_DRBG_VERYIFY_ZEROIZATION(ctr->K);
482 PROV_DRBG_VERYIFY_ZEROIZATION(ctr->V);
483 PROV_DRBG_VERYIFY_ZEROIZATION(ctr->bltmp);
484 PROV_DRBG_VERYIFY_ZEROIZATION(ctr->KX);
485 if (ctr->bltmp_pos != 0)
490 static int drbg_ctr_init_lengths(PROV_DRBG *drbg)
492 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
497 PROVerr(0, RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS);
502 /* Maximum number of bits per request = 2^19 = 2^16 bytes */
503 drbg->max_request = 1 << 16;
505 drbg->min_entropylen = 0;
506 drbg->max_entropylen = DRBG_MAX_LENGTH;
507 drbg->min_noncelen = 0;
508 drbg->max_noncelen = DRBG_MAX_LENGTH;
509 drbg->max_perslen = DRBG_MAX_LENGTH;
510 drbg->max_adinlen = DRBG_MAX_LENGTH;
512 if (ctr->keylen > 0) {
513 drbg->min_entropylen = ctr->keylen;
514 drbg->min_noncelen = drbg->min_entropylen / 2;
517 const size_t len = ctr->keylen > 0 ? drbg->seedlen : DRBG_MAX_LENGTH;
519 drbg->min_entropylen = len;
520 drbg->max_entropylen = len;
522 drbg->min_noncelen = 0;
523 drbg->max_noncelen = 0;
524 drbg->max_perslen = len;
525 drbg->max_adinlen = len;
530 static int drbg_ctr_init(PROV_DRBG *drbg)
532 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
535 if (ctr->cipher_ctr == NULL) {
536 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CIPHER);
539 ctr->keylen = keylen = EVP_CIPHER_key_length(ctr->cipher_ctr);
540 if (ctr->ctx_ecb == NULL)
541 ctr->ctx_ecb = EVP_CIPHER_CTX_new();
542 if (ctr->ctx_ctr == NULL)
543 ctr->ctx_ctr = EVP_CIPHER_CTX_new();
544 if (ctr->ctx_ecb == NULL || ctr->ctx_ctr == NULL) {
545 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
549 if (!EVP_CipherInit_ex(ctr->ctx_ecb,
550 ctr->cipher_ecb, NULL, NULL, NULL, 1)
551 || !EVP_CipherInit_ex(ctr->ctx_ctr,
552 ctr->cipher_ctr, NULL, NULL, NULL, 1)) {
553 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_INITIALISE_CIPHERS);
557 drbg->strength = keylen * 8;
558 drbg->seedlen = keylen + 16;
561 /* df initialisation */
562 static const unsigned char df_key[32] = {
563 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
564 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
565 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
566 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
569 if (ctr->ctx_df == NULL)
570 ctr->ctx_df = EVP_CIPHER_CTX_new();
571 if (ctr->ctx_df == NULL) {
572 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
575 /* Set key schedule for df_key */
576 if (!EVP_CipherInit_ex(ctr->ctx_df,
577 ctr->cipher_ecb, NULL, df_key, NULL, 1)) {
578 ERR_raise(ERR_LIB_PROV, PROV_R_DERIVATION_FUNCTION_INIT_FAILED);
582 return drbg_ctr_init_lengths(drbg);
585 EVP_CIPHER_CTX_free(ctr->ctx_ecb);
586 EVP_CIPHER_CTX_free(ctr->ctx_ctr);
587 ctr->ctx_ecb = ctr->ctx_ctr = NULL;
591 static int drbg_ctr_new(PROV_DRBG *drbg)
595 ctr = OPENSSL_secure_zalloc(sizeof(*ctr));
597 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
603 return drbg_ctr_init_lengths(drbg);
606 static void *drbg_ctr_new_wrapper(void *provctx, void *parent,
607 const OSSL_DISPATCH *parent_dispatch)
609 return prov_rand_drbg_new(provctx, parent, parent_dispatch, &drbg_ctr_new,
610 &drbg_ctr_instantiate, &drbg_ctr_uninstantiate,
611 &drbg_ctr_reseed, &drbg_ctr_generate);
614 static void drbg_ctr_free(void *vdrbg)
616 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
619 if (drbg != NULL && (ctr = (PROV_DRBG_CTR *)drbg->data) != NULL) {
620 EVP_CIPHER_CTX_free(ctr->ctx_ecb);
621 EVP_CIPHER_CTX_free(ctr->ctx_ctr);
622 EVP_CIPHER_CTX_free(ctr->ctx_df);
623 EVP_CIPHER_free(ctr->cipher_ecb);
624 EVP_CIPHER_free(ctr->cipher_ctr);
626 OPENSSL_secure_clear_free(ctr, sizeof(*ctr));
628 prov_rand_drbg_free(drbg);
631 static int drbg_ctr_get_ctx_params(void *vdrbg, OSSL_PARAM params[])
633 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
634 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
637 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_USE_DF);
638 if (p != NULL && !OSSL_PARAM_set_int(p, ctr->use_df))
641 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_CIPHER);
643 if (ctr->cipher_ctr == NULL
644 || !OSSL_PARAM_set_utf8_string(p, EVP_CIPHER_name(ctr->cipher_ctr)))
648 return drbg_get_ctx_params(drbg, params);
651 static const OSSL_PARAM *drbg_ctr_gettable_ctx_params(ossl_unused void *provctx)
653 static const OSSL_PARAM known_gettable_ctx_params[] = {
654 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0),
655 OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL),
656 OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON,
659 return known_gettable_ctx_params;
662 static int drbg_ctr_set_ctx_params(void *vctx, const OSSL_PARAM params[])
664 PROV_DRBG *ctx = (PROV_DRBG *)vctx;
665 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)ctx->data;
666 OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(ctx->provctx);
669 const char *propquery = NULL;
670 int i, cipher_init = 0;
672 if ((p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_USE_DF)) != NULL
673 && OSSL_PARAM_get_int(p, &i)) {
674 /* FIPS errors out in the drbg_ctr_init() call later */
675 ctr->use_df = i != 0;
679 if ((p = OSSL_PARAM_locate_const(params,
680 OSSL_DRBG_PARAM_PROPERTIES)) != NULL) {
681 if (p->data_type != OSSL_PARAM_UTF8_STRING)
683 propquery = (const char *)p->data;
686 if ((p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_CIPHER)) != NULL) {
687 const char *base = (const char *)p->data;
689 if (p->data_type != OSSL_PARAM_UTF8_STRING
692 if (strcasecmp("CTR", base + p->data_size - sizeof("CTR")) != 0) {
693 ERR_raise(ERR_LIB_PROV, PROV_R_REQUIRE_CTR_MODE_CIPHER);
696 if ((ecb = OPENSSL_strdup(base)) == NULL) {
697 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
700 strcpy(ecb + p->data_size - sizeof("ECB"), "ECB");
701 EVP_CIPHER_free(ctr->cipher_ecb);
702 EVP_CIPHER_free(ctr->cipher_ctr);
703 ctr->cipher_ctr = EVP_CIPHER_fetch(libctx, base, propquery);
704 ctr->cipher_ecb = EVP_CIPHER_fetch(libctx, ecb, propquery);
706 if (ctr->cipher_ctr == NULL || ctr->cipher_ecb == NULL) {
707 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_FIND_CIPHERS);
713 if (cipher_init && !drbg_ctr_init(ctx))
716 return drbg_set_ctx_params(ctx, params);
719 static const OSSL_PARAM *drbg_ctr_settable_ctx_params(ossl_unused void *provctx)
721 static const OSSL_PARAM known_settable_ctx_params[] = {
722 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0),
723 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0),
726 * Don't advertise this for FIPS, it isn't allowed to change.
727 * The parameter can still be passed and will be processed but errors
730 OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL),
732 OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON,
735 return known_settable_ctx_params;
738 const OSSL_DISPATCH ossl_drbg_ctr_functions[] = {
739 { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))drbg_ctr_new_wrapper },
740 { OSSL_FUNC_RAND_FREECTX, (void(*)(void))drbg_ctr_free },
741 { OSSL_FUNC_RAND_INSTANTIATE,
742 (void(*)(void))drbg_ctr_instantiate_wrapper },
743 { OSSL_FUNC_RAND_UNINSTANTIATE,
744 (void(*)(void))drbg_ctr_uninstantiate_wrapper },
745 { OSSL_FUNC_RAND_GENERATE, (void(*)(void))drbg_ctr_generate_wrapper },
746 { OSSL_FUNC_RAND_RESEED, (void(*)(void))drbg_ctr_reseed_wrapper },
747 { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))drbg_enable_locking },
748 { OSSL_FUNC_RAND_LOCK, (void(*)(void))drbg_lock },
749 { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))drbg_unlock },
750 { OSSL_FUNC_RAND_SETTABLE_CTX_PARAMS,
751 (void(*)(void))drbg_ctr_settable_ctx_params },
752 { OSSL_FUNC_RAND_SET_CTX_PARAMS, (void(*)(void))drbg_ctr_set_ctx_params },
753 { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
754 (void(*)(void))drbg_ctr_gettable_ctx_params },
755 { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))drbg_ctr_get_ctx_params },
756 { OSSL_FUNC_RAND_VERIFY_ZEROIZATION,
757 (void(*)(void))drbg_ctr_verify_zeroization },