]> git.ipfire.org Git - thirdparty/openssl.git/blame - providers/implementations/rands/drbg_ctr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Make the naming scheme for dispatched functions more consistent
[thirdparty/openssl.git] / providers / implementations / rands / drbg_ctr.c
CommitLineData
12fb8c3d 1/*
33388b44 2 * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
12fb8c3d 3 *
0db63de9 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
12fb8c3d
RS		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <stdlib.h>
11#include <string.h>
12#include <openssl/crypto.h>
13#include <openssl/err.h>
14#include <openssl/rand.h>
f000e828
P		 15#include <openssl/aes.h>
16#include "e_os.h" /* strcasecmp */
28bdbe1a 17#include "crypto/modes.h"
12fb8c3d 18#include "internal/thread_once.h"
f000e828
P		 19#include "prov/implementations.h"
20#include "prov/provider_ctx.h"
21#include "prov/providercommonerr.h"
22#include "drbg_local.h"
23
363b1e5d
DMSP		 24static OSSL_FUNC_rand_newctx_fn drbg_ctr_new_wrapper;
25static OSSL_FUNC_rand_freectx_fn drbg_ctr_free;
26static OSSL_FUNC_rand_instantiate_fn drbg_ctr_instantiate_wrapper;
27static OSSL_FUNC_rand_uninstantiate_fn drbg_ctr_uninstantiate_wrapper;
28static OSSL_FUNC_rand_generate_fn drbg_ctr_generate_wrapper;
29static OSSL_FUNC_rand_reseed_fn drbg_ctr_reseed_wrapper;
30static OSSL_FUNC_rand_settable_ctx_params_fn drbg_ctr_settable_ctx_params;
31static OSSL_FUNC_rand_set_ctx_params_fn drbg_ctr_set_ctx_params;
32static OSSL_FUNC_rand_gettable_ctx_params_fn drbg_ctr_gettable_ctx_params;
33static OSSL_FUNC_rand_get_ctx_params_fn drbg_ctr_get_ctx_params;
34static OSSL_FUNC_rand_verify_zeroization_fn drbg_ctr_verify_zeroization;
f000e828
P		 35
36/*
37 * The state of a DRBG AES-CTR.
38 */
39typedef struct rand_drbg_ctr_st {
40 EVP_CIPHER_CTX *ctx_ecb;
41 EVP_CIPHER_CTX *ctx_ctr;
42 EVP_CIPHER_CTX *ctx_df;
43 EVP_CIPHER *cipher_ecb;
44 EVP_CIPHER *cipher_ctr;
45 size_t keylen;
46 int use_df;
47 unsigned char K[32];
48 unsigned char V[16];
49 /* Temporary block storage used by ctr_df */
50 unsigned char bltmp[16];
51 size_t bltmp_pos;
52 unsigned char KX[48];
53} PROV_DRBG_CTR;
8bf36651 54
12fb8c3d 55/*
75e2c877 56 * Implementation of NIST SP 800-90A CTR DRBG.
12fb8c3d 57 */
f000e828 58static void inc_128(PROV_DRBG_CTR *ctr)
12fb8c3d 59{
069165d1
PS		 60 unsigned char *p = &ctr->V[0];
61 u32 n = 16, c = 1;
62
63 do {
64 --n;
65 c += p[n];
66 p[n] = (u8)c;
67 c >>= 8;
68 } while (n);
12fb8c3d
RS		 69}
70
f000e828 71static void ctr_XOR(PROV_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
12fb8c3d
RS		 72{
73 size_t i, n;
74
75 if (in == NULL || inlen == 0)
76 return;
77
78 /*
79 * Any zero padding will have no effect on the result as we
80 * are XORing. So just process however much input we have.
81 */
75e2c877 82 n = inlen < ctr->keylen ? inlen : ctr->keylen;
12fb8c3d 83 for (i = 0; i < n; i++)
75e2c877
RS		 84 ctr->K[i] ^= in[i];
85 if (inlen <= ctr->keylen)
12fb8c3d
RS		 86 return;
87
75e2c877 88 n = inlen - ctr->keylen;
12fb8c3d
RS		 89 if (n > 16) {
90 /* Should never happen */
91 n = 16;
92 }
b8a437ff 93 for (i = 0; i < n; i++)
75e2c877 94 ctr->V[i] ^= in[i + ctr->keylen];
12fb8c3d
RS		 95}
96
97/*
98 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
99 */
f000e828 100__owur static int ctr_BCC_block(PROV_DRBG_CTR *ctr, unsigned char *out,
28bdbe1a 101 const unsigned char *in, int len)
12fb8c3d 102{
dbdcc04f 103 int i, outlen = AES_BLOCK_SIZE;
12fb8c3d 104
28bdbe1a 105 for (i = 0; i < len; i++)
12fb8c3d 106 out[i] ^= in[i];
dbdcc04f 107
28bdbe1a
PS		 108 if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, len)
109 || outlen != len)
dbdcc04f
KR		 110 return 0;
111 return 1;
12fb8c3d
RS		 112}
113
114
115/*
116 * Handle several BCC operations for as much data as we need for K and X
117 */
f000e828 118__owur static int ctr_BCC_blocks(PROV_DRBG_CTR *ctr, const unsigned char *in)
12fb8c3d 119{
28bdbe1a
PS		 120 unsigned char in_tmp[48];
121 unsigned char num_of_blk = 2;
122
123 memcpy(in_tmp, in, 16);
124 memcpy(in_tmp + 16, in, 16);
125 if (ctr->keylen != 16) {
126 memcpy(in_tmp + 32, in, 16);
127 num_of_blk = 3;
128 }
129 return ctr_BCC_block(ctr, ctr->KX, in_tmp, AES_BLOCK_SIZE * num_of_blk);
12fb8c3d
RS		 130}
131
132/*
133 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
134 * see 10.3.1 stage 7.
135 */
f000e828 136__owur static int ctr_BCC_init(PROV_DRBG_CTR *ctr)
12fb8c3d 137{
28bdbe1a
PS		 138 unsigned char bltmp[48] = {0};
139 unsigned char num_of_blk;
140
75e2c877 141 memset(ctr->KX, 0, 48);
28bdbe1a
PS		 142 num_of_blk = ctr->keylen == 16 ? 2 : 3;
143 bltmp[(AES_BLOCK_SIZE * 1) + 3] = 1;
144 bltmp[(AES_BLOCK_SIZE * 2) + 3] = 2;
145 return ctr_BCC_block(ctr, ctr->KX, bltmp, num_of_blk * AES_BLOCK_SIZE);
12fb8c3d
RS		 146}
147
148/*
149 * Process several blocks into BCC algorithm, some possibly partial
150 */
f000e828 151__owur static int ctr_BCC_update(PROV_DRBG_CTR *ctr,
dbdcc04f 152 const unsigned char *in, size_t inlen)
12fb8c3d
RS		 153{
154 if (in == NULL || inlen == 0)
dbdcc04f 155 return 1;
12fb8c3d
RS		 156
157 /* If we have partial block handle it first */
75e2c877
RS		 158 if (ctr->bltmp_pos) {
159 size_t left = 16 - ctr->bltmp_pos;
12fb8c3d
RS		 160
161 /* If we now have a complete block process it */
162 if (inlen >= left) {
75e2c877 163 memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
dbdcc04f
KR		 164 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
165 return 0;
75e2c877 166 ctr->bltmp_pos = 0;
12fb8c3d
RS		 167 inlen -= left;
168 in += left;
169 }
170 }
171
172 /* Process zero or more complete blocks */
173 for (; inlen >= 16; in += 16, inlen -= 16) {
dbdcc04f
KR		 174 if (!ctr_BCC_blocks(ctr, in))
175 return 0;
12fb8c3d
RS		 176 }
177
178 /* Copy any remaining partial block to the temporary buffer */
179 if (inlen > 0) {
75e2c877
RS		 180 memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
181 ctr->bltmp_pos += inlen;
12fb8c3d 182 }
dbdcc04f 183 return 1;
12fb8c3d
RS		 184}
185
f000e828 186__owur static int ctr_BCC_final(PROV_DRBG_CTR *ctr)
12fb8c3d 187{
75e2c877
RS		 188 if (ctr->bltmp_pos) {
189 memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
dbdcc04f
KR		 190 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
191 return 0;
12fb8c3d 192 }
dbdcc04f 193 return 1;
12fb8c3d
RS		 194}
195
f000e828 196__owur static int ctr_df(PROV_DRBG_CTR *ctr,
dbdcc04f
KR		 197 const unsigned char *in1, size_t in1len,
198 const unsigned char *in2, size_t in2len,
199 const unsigned char *in3, size_t in3len)
12fb8c3d
RS		 200{
201 static unsigned char c80 = 0x80;
202 size_t inlen;
75e2c877 203 unsigned char *p = ctr->bltmp;
dbdcc04f 204 int outlen = AES_BLOCK_SIZE;
12fb8c3d 205
dbdcc04f
KR		 206 if (!ctr_BCC_init(ctr))
207 return 0;
12fb8c3d
RS		 208 if (in1 == NULL)
209 in1len = 0;
210 if (in2 == NULL)
211 in2len = 0;
212 if (in3 == NULL)
213 in3len = 0;
214 inlen = in1len + in2len + in3len;
215 /* Initialise L||N in temporary block */
216 *p++ = (inlen >> 24) & 0xff;
217 *p++ = (inlen >> 16) & 0xff;
218 *p++ = (inlen >> 8) & 0xff;
219 *p++ = inlen & 0xff;
220
221 /* NB keylen is at most 32 bytes */
222 *p++ = 0;
223 *p++ = 0;
224 *p++ = 0;
75e2c877
RS		 225 *p = (unsigned char)((ctr->keylen + 16) & 0xff);
226 ctr->bltmp_pos = 8;
dbdcc04f
KR		 227 if (!ctr_BCC_update(ctr, in1, in1len)
228 || !ctr_BCC_update(ctr, in2, in2len)
229 || !ctr_BCC_update(ctr, in3, in3len)
230 || !ctr_BCC_update(ctr, &c80, 1)
231 || !ctr_BCC_final(ctr))
232 return 0;
12fb8c3d 233 /* Set up key K */
28bdbe1a 234 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->KX, NULL, -1))
dbdcc04f 235 return 0;
12fb8c3d 236 /* X follows key K */
28bdbe1a 237 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX, &outlen, ctr->KX + ctr->keylen,
dbdcc04f
KR		 238 AES_BLOCK_SIZE)
239 || outlen != AES_BLOCK_SIZE)
240 return 0;
28bdbe1a 241 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 16, &outlen, ctr->KX,
dbdcc04f
KR		 242 AES_BLOCK_SIZE)
243 || outlen != AES_BLOCK_SIZE)
244 return 0;
75e2c877 245 if (ctr->keylen != 16)
28bdbe1a
PS		 246 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 32, &outlen,
247 ctr->KX + 16, AES_BLOCK_SIZE)
dbdcc04f
KR		 248 || outlen != AES_BLOCK_SIZE)
249 return 0;
250 return 1;
12fb8c3d
RS		 251}
252
253/*
254 * NB the no-df Update in SP800-90A specifies a constant input length
255 * of seedlen, however other uses of this algorithm pad the input with
256 * zeroes if necessary and have up to two parameters XORed together,
75e2c877 257 * so we handle both cases in this function instead.
12fb8c3d 258 */
f000e828 259__owur static int ctr_update(PROV_DRBG *drbg,
dbdcc04f
KR		 260 const unsigned char *in1, size_t in1len,
261 const unsigned char *in2, size_t in2len,
262 const unsigned char *nonce, size_t noncelen)
12fb8c3d 263{
f000e828 264 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
dbdcc04f 265 int outlen = AES_BLOCK_SIZE;
28bdbe1a
PS		 266 unsigned char V_tmp[48], out[48];
267 unsigned char len;
12fb8c3d 268
dbdcc04f 269 /* correct key is already set up. */
28bdbe1a 270 memcpy(V_tmp, ctr->V, 16);
75e2c877 271 inc_128(ctr);
28bdbe1a
PS		 272 memcpy(V_tmp + 16, ctr->V, 16);
273 if (ctr->keylen == 16) {
274 len = 32;
275 } else {
75e2c877 276 inc_128(ctr);
28bdbe1a
PS		 277 memcpy(V_tmp + 32, ctr->V, 16);
278 len = 48;
12fb8c3d 279 }
28bdbe1a
PS		 280 if (!EVP_CipherUpdate(ctr->ctx_ecb, out, &outlen, V_tmp, len)
281 || outlen != len)
dbdcc04f 282 return 0;
28bdbe1a
PS		 283 memcpy(ctr->K, out, ctr->keylen);
284 memcpy(ctr->V, out + ctr->keylen, 16);
12fb8c3d 285
f000e828 286 if (ctr->use_df) {
12fb8c3d
RS		 287 /* If no input reuse existing derived value */
288 if (in1 != NULL || nonce != NULL || in2 != NULL)
dbdcc04f
KR		 289 if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
290 return 0;
12fb8c3d
RS		 291 /* If this a reuse input in1len != 0 */
292 if (in1len)
75e2c877 293 ctr_XOR(ctr, ctr->KX, drbg->seedlen);
12fb8c3d 294 } else {
75e2c877
RS		 295 ctr_XOR(ctr, in1, in1len);
296 ctr_XOR(ctr, in2, in2len);
12fb8c3d
RS		 297 }
298
28bdbe1a
PS		 299 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1)
300 || !EVP_CipherInit_ex(ctr->ctx_ctr, NULL, NULL, ctr->K, NULL, -1))
dbdcc04f
KR		 301 return 0;
302 return 1;
12fb8c3d
RS		 303}
304
f000e828
P		 305static int drbg_ctr_instantiate(PROV_DRBG *drbg,
306 const unsigned char *entropy, size_t entropylen,
307 const unsigned char *nonce, size_t noncelen,
308 const unsigned char *pers, size_t perslen)
12fb8c3d 309{
f000e828 310 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
12fb8c3d 311
aa048aef 312 if (entropy == NULL)
4c78ba59
DSH		 313 return 0;
314
75e2c877
RS		 315 memset(ctr->K, 0, sizeof(ctr->K));
316 memset(ctr->V, 0, sizeof(ctr->V));
28bdbe1a 317 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1))
dbdcc04f 318 return 0;
28bdbe1a
PS		 319
320 inc_128(ctr);
dbdcc04f
KR		 321 if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
322 return 0;
12fb8c3d
RS		 323 return 1;
324}
325
f000e828
P		 326static int drbg_ctr_instantiate_wrapper(void *vdrbg, unsigned int strength,
327 int prediction_resistance,
328 const unsigned char *pstr,
329 size_t pstr_len)
330{
331 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
332
333 return PROV_DRBG_instantiate(drbg, strength, prediction_resistance,
334 pstr, pstr_len);
335}
336
337static int drbg_ctr_reseed(PROV_DRBG *drbg,
338 const unsigned char *entropy, size_t entropylen,
339 const unsigned char *adin, size_t adinlen)
12fb8c3d 340{
f000e828 341 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
28bdbe1a 342
aa048aef 343 if (entropy == NULL)
4c78ba59 344 return 0;
28bdbe1a
PS		 345
346 inc_128(ctr);
dbdcc04f
KR		 347 if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
348 return 0;
12fb8c3d
RS		 349 return 1;
350}
351
f000e828
P		 352static int drbg_ctr_reseed_wrapper(void *vdrbg, int prediction_resistance,
353 const unsigned char *ent, size_t ent_len,
354 const unsigned char *adin, size_t adin_len)
355{
356 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
357
358 return PROV_DRBG_reseed(drbg, prediction_resistance, ent, ent_len,
359 adin, adin_len);
360}
361
28bdbe1a
PS		 362static void ctr96_inc(unsigned char *counter)
363{
364 u32 n = 12, c = 1;
365
366 do {
367 --n;
368 c += counter[n];
369 counter[n] = (u8)c;
370 c >>= 8;
371 } while (n);
372}
373
f000e828
P		 374static int drbg_ctr_generate(PROV_DRBG *drbg,
375 unsigned char *out, size_t outlen,
376 const unsigned char *adin, size_t adinlen)
12fb8c3d 377{
f000e828 378 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
28bdbe1a
PS		 379 unsigned int ctr32, blocks;
380 int outl, buflen;
12fb8c3d
RS		 381
382 if (adin != NULL && adinlen != 0) {
28bdbe1a
PS		 383 inc_128(ctr);
384
dbdcc04f
KR		 385 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
386 return 0;
12fb8c3d 387 /* This means we reuse derived value */
f000e828 388 if (ctr->use_df) {
12fb8c3d
RS		 389 adin = NULL;
390 adinlen = 1;
391 }
392 } else {
393 adinlen = 0;
394 }
395
28bdbe1a 396 inc_128(ctr);
dbdcc04f 397
28bdbe1a 398 if (outlen == 0) {
75e2c877 399 inc_128(ctr);
28bdbe1a
PS		 400
401 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
dbdcc04f 402 return 0;
28bdbe1a 403 return 1;
12fb8c3d
RS		 404 }
405
28bdbe1a
PS		 406 memset(out, 0, outlen);
407
408 do {
409 if (!EVP_CipherInit_ex(ctr->ctx_ctr,
410 NULL, NULL, NULL, ctr->V, -1))
411 return 0;
412
413 /*-
414 * outlen has type size_t while EVP_CipherUpdate takes an
415 * int argument and thus cannot be guaranteed to process more
416 * than 2^31-1 bytes at a time. We process such huge generate
417 * requests in 2^30 byte chunks, which is the greatest multiple
418 * of AES block size lower than or equal to 2^31-1.
419 */
420 buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
421 blocks = (buflen + 15) / 16;
422
423 ctr32 = GETU32(ctr->V + 12) + blocks;
424 if (ctr32 < blocks) {
425 /* 32-bit counter overflow into V. */
42fa3e66
BE		 426 if (ctr32 != 0) {
427 blocks -= ctr32;
428 buflen = blocks * 16;
429 ctr32 = 0;
430 }
28bdbe1a
PS		 431 ctr96_inc(ctr->V);
432 }
433 PUTU32(ctr->V + 12, ctr32);
434
435 if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
436 || outl != buflen)
437 return 0;
438
439 out += buflen;
440 outlen -= buflen;
441 } while (outlen);
442
dbdcc04f
KR		 443 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
444 return 0;
12fb8c3d
RS		 445 return 1;
446}
447
f000e828
P		 448static int drbg_ctr_generate_wrapper
449 (void *vdrbg, unsigned char *out, size_t outlen,
450 unsigned int strength, int prediction_resistance,
451 const unsigned char *adin, size_t adin_len)
12fb8c3d 452{
f000e828
P		 453 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
454
455 return PROV_DRBG_generate(drbg, out, outlen, strength,
456 prediction_resistance, adin, adin_len);
12fb8c3d
RS		 457}
458
f000e828
P		 459static int drbg_ctr_uninstantiate(PROV_DRBG *drbg)
460{
461 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
462
463 OPENSSL_cleanse(ctr->K, sizeof(ctr->K));
464 OPENSSL_cleanse(ctr->V, sizeof(ctr->V));
465 OPENSSL_cleanse(ctr->bltmp, sizeof(ctr->bltmp));
466 OPENSSL_cleanse(ctr->KX, sizeof(ctr->KX));
467 ctr->bltmp_pos = 0;
468 return PROV_DRBG_uninstantiate(drbg);
469}
8212d505 470
f000e828 471static int drbg_ctr_uninstantiate_wrapper(void *vdrbg)
12fb8c3d 472{
f000e828
P		 473 return drbg_ctr_uninstantiate((PROV_DRBG *)vdrbg);
474}
12fb8c3d 475
f000e828
P		 476static int drbg_ctr_verify_zeroization(void *vdrbg)
477{
478 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
479 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
480
481 PROV_DRBG_VERYIFY_ZEROIZATION(ctr->K);
482 PROV_DRBG_VERYIFY_ZEROIZATION(ctr->V);
483 PROV_DRBG_VERYIFY_ZEROIZATION(ctr->bltmp);
484 PROV_DRBG_VERYIFY_ZEROIZATION(ctr->KX);
485 if (ctr->bltmp_pos != 0)
efb8128a 486 return 0;
f000e828
P		 487 return 1;
488}
489
490static int drbg_ctr_init_lengths(PROV_DRBG *drbg)
491{
492 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
493 int res = 1;
494
495#ifdef FIPS_MODULE
496 if (!ctr->use_df) {
497 PROVerr(0, RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS);
498 ctr->use_df = 1;
499 res = 0;
12fb8c3d 500 }
f000e828
P		 501#endif
502 /* Maximum number of bits per request = 2^19 = 2^16 bytes */
503 drbg->max_request = 1 << 16;
504 if (ctr->use_df) {
505 drbg->min_entropylen = 0;
506 drbg->max_entropylen = DRBG_MAX_LENGTH;
507 drbg->min_noncelen = 0;
508 drbg->max_noncelen = DRBG_MAX_LENGTH;
509 drbg->max_perslen = DRBG_MAX_LENGTH;
510 drbg->max_adinlen = DRBG_MAX_LENGTH;
57ca171a 511
f000e828
P		 512 if (ctr->keylen > 0) {
513 drbg->min_entropylen = ctr->keylen;
514 drbg->min_noncelen = drbg->min_entropylen / 2;
515 }
516 } else {
517 const size_t len = ctr->keylen > 0 ? drbg->seedlen : DRBG_MAX_LENGTH;
518
519 drbg->min_entropylen = len;
520 drbg->max_entropylen = len;
521 /* Nonce not used */
522 drbg->min_noncelen = 0;
523 drbg->max_noncelen = 0;
524 drbg->max_perslen = len;
525 drbg->max_adinlen = len;
526 }
527 return res;
528}
529
530static int drbg_ctr_init(PROV_DRBG *drbg)
531{
532 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
533 const size_t keylen = EVP_CIPHER_key_length(ctr->cipher_ctr);
8212d505 534
75e2c877 535 ctr->keylen = keylen;
28bdbe1a
PS		 536 if (ctr->ctx_ecb == NULL)
537 ctr->ctx_ecb = EVP_CIPHER_CTX_new();
538 if (ctr->ctx_ctr == NULL)
539 ctr->ctx_ctr = EVP_CIPHER_CTX_new();
f000e828
P		 540 if (ctr->ctx_ecb == NULL || ctr->ctx_ctr == NULL) {
541 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
542 goto err;
543 }
544
545 if (ctr->cipher_ctr != NULL) {
546 if (!EVP_CipherInit_ex(ctr->ctx_ecb,
547 ctr->cipher_ecb, NULL, NULL, NULL, 1)
548 || !EVP_CipherInit_ex(ctr->ctx_ctr,
549 ctr->cipher_ctr, NULL, NULL, NULL, 1)) {
550 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_INITIALISE_CIPHERS);
551 goto err;
552 }
553
554 drbg->strength = keylen * 8;
555 drbg->seedlen = keylen + 16;
556
557 if (ctr->use_df) {
558 /* df initialisation */
559 static const unsigned char df_key[32] = {
560 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
561 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
562 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
563 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
564 };
565
566 if (ctr->ctx_df == NULL)
567 ctr->ctx_df = EVP_CIPHER_CTX_new();
568 if (ctr->ctx_df == NULL) {
569 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
570 goto err;
571 }
572 /* Set key schedule for df_key */
573 if (!EVP_CipherInit_ex(ctr->ctx_df,
574 ctr->cipher_ecb, NULL, df_key, NULL, 1)) {
575 ERR_raise(ERR_LIB_PROV, PROV_R_DERIVATION_FUNCTION_INIT_FAILED);
576 goto err;
577 }
578 }
579 }
580 return drbg_ctr_init_lengths(drbg);
581
582err:
583 EVP_CIPHER_CTX_free(ctr->ctx_ecb);
584 EVP_CIPHER_CTX_free(ctr->ctx_ctr);
585 ctr->ctx_ecb = ctr->ctx_ctr = NULL;
586 return 0;
587}
588
589static int drbg_ctr_new(PROV_DRBG *drbg)
590{
591 PROV_DRBG_CTR *ctr;
592
593 ctr = OPENSSL_secure_zalloc(sizeof(*ctr));
594 if (ctr == NULL) {
595 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
dbdcc04f 596 return 0;
f000e828
P		 597 }
598
599 ctr->use_df = 1;
600 drbg->data = ctr;
601 return drbg_ctr_init_lengths(drbg);
602}
603
604static void *drbg_ctr_new_wrapper(void *provctx, void *parent,
605 const OSSL_DISPATCH *parent_dispatch)
606{
607 return prov_rand_drbg_new(provctx, parent, parent_dispatch, &drbg_ctr_new,
608 &drbg_ctr_instantiate, &drbg_ctr_uninstantiate,
609 &drbg_ctr_reseed, &drbg_ctr_generate);
610}
611
612static void drbg_ctr_free(void *vdrbg)
613{
614 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
615 PROV_DRBG_CTR *ctr;
616
617 if (drbg != NULL && (ctr = (PROV_DRBG_CTR *)drbg->data) != NULL) {
618 EVP_CIPHER_CTX_free(ctr->ctx_ecb);
619 EVP_CIPHER_CTX_free(ctr->ctx_ctr);
620 EVP_CIPHER_CTX_free(ctr->ctx_df);
621 EVP_CIPHER_free(ctr->cipher_ecb);
622 EVP_CIPHER_free(ctr->cipher_ctr);
623
624 OPENSSL_secure_clear_free(ctr, sizeof(*ctr));
625 }
626 prov_rand_drbg_free(drbg);
627}
628
629static int drbg_ctr_get_ctx_params(void *vdrbg, OSSL_PARAM params[])
630{
631 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
632
633 return drbg_get_ctx_params(drbg, params);
634}
635
636static const OSSL_PARAM *drbg_ctr_gettable_ctx_params(void)
637{
638 static const OSSL_PARAM known_gettable_ctx_params[] = {
639 OSSL_PARAM_DRBG_GETABLE_CTX_COMMON,
640 OSSL_PARAM_END
641 };
642 return known_gettable_ctx_params;
643}
644
645static int drbg_ctr_set_ctx_params(void *vctx, const OSSL_PARAM params[])
646{
647 PROV_DRBG *ctx = (PROV_DRBG *)vctx;
648 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)ctx->data;
649 OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(ctx->provctx);
650 const OSSL_PARAM *p;
651 char *ecb;
652 const char *propquery = NULL;
653 int i, cipher_init = 0;
654
655 if ((p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_USE_DF)) != NULL
656 && OSSL_PARAM_get_int(p, &i)) {
657 /* FIPS errors out in the drbg_ctr_init() call later */
658 ctr->use_df = i != 0;
659 cipher_init = 1;
660 }
661
662 if ((p = OSSL_PARAM_locate_const(params,
663 OSSL_DRBG_PARAM_PROPERTIES)) != NULL) {
664 if (p->data_type != OSSL_PARAM_UTF8_STRING)
665 return 0;
666 propquery = (const char *)p->data;
667 }
668
669 if ((p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_CIPHER)) != NULL) {
670 const char *base = (const char *)p->data;
28bdbe1a 671
f000e828
P		 672 if (p->data_type != OSSL_PARAM_UTF8_STRING
673 || p->data_size < 3)
dbdcc04f 674 return 0;
f000e828
P		 675 if (strcasecmp("CTR", base + p->data_size - sizeof("CTR")) != 0) {
676 ERR_raise(ERR_LIB_PROV, PROV_R_REQUIRE_CTR_MODE_CIPHER);
677 return 0;
678 }
679 if ((ecb = OPENSSL_strdup(base)) == NULL) {
680 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
dbdcc04f 681 return 0;
f000e828
P		 682 }
683 strcpy(ecb + p->data_size - sizeof("ECB"), "ECB");
684 EVP_CIPHER_free(ctr->cipher_ecb);
685 EVP_CIPHER_free(ctr->cipher_ctr);
686 ctr->cipher_ctr = EVP_CIPHER_fetch(libctx, base, propquery);
687 ctr->cipher_ecb = EVP_CIPHER_fetch(libctx, ecb, propquery);
688 OPENSSL_free(ecb);
689 if (ctr->cipher_ctr == NULL || ctr->cipher_ecb == NULL) {
690 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_FIND_CIPHERS);
691 return 0;
692 }
693 cipher_init = 1;
694 }
75e2c877 695
f000e828 696 if (cipher_init && !drbg_ctr_init(ctx))
6c7d80ab 697 return 0;
12fb8c3d 698
f000e828
P		 699 return drbg_set_ctx_params(ctx, params);
700}
4917e911 701
f000e828
P		 702static const OSSL_PARAM *drbg_ctr_settable_ctx_params(void)
703{
704 static const OSSL_PARAM known_settable_ctx_params[] = {
705 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0),
706 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0),
707#ifndef FIPS_MODULE
708 /*
709 * Don't advertise this for FIPS, it isn't allowed to change.
710 * The parameter can still be passed and will be processed but errors
711 * out.
712 */
713 OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL),
714#endif
715 OSSL_PARAM_DRBG_SETABLE_CTX_COMMON,
716 OSSL_PARAM_END
717 };
718 return known_settable_ctx_params;
12fb8c3d 719}
f000e828
P		 720
721const OSSL_DISPATCH drbg_ctr_functions[] = {
722 { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))drbg_ctr_new_wrapper },
723 { OSSL_FUNC_RAND_FREECTX, (void(*)(void))drbg_ctr_free },
724 { OSSL_FUNC_RAND_INSTANTIATE,
725 (void(*)(void))drbg_ctr_instantiate_wrapper },
726 { OSSL_FUNC_RAND_UNINSTANTIATE,
727 (void(*)(void))drbg_ctr_uninstantiate_wrapper },
728 { OSSL_FUNC_RAND_GENERATE, (void(*)(void))drbg_ctr_generate_wrapper },
729 { OSSL_FUNC_RAND_RESEED, (void(*)(void))drbg_ctr_reseed_wrapper },
730 { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))drbg_enable_locking },
731 { OSSL_FUNC_RAND_LOCK, (void(*)(void))drbg_lock },
732 { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))drbg_unlock },
733 { OSSL_FUNC_RAND_SETTABLE_CTX_PARAMS,
734 (void(*)(void))drbg_ctr_settable_ctx_params },
735 { OSSL_FUNC_RAND_SET_CTX_PARAMS, (void(*)(void))drbg_ctr_set_ctx_params },
736 { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
737 (void(*)(void))drbg_ctr_gettable_ctx_params },
738 { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))drbg_ctr_get_ctx_params },
739 { OSSL_FUNC_RAND_SET_CALLBACKS, (void(*)(void))drbg_set_callbacks },
740 { OSSL_FUNC_RAND_VERIFY_ZEROIZATION,
741 (void(*)(void))drbg_ctr_verify_zeroization },
742 { 0, NULL }
743};
A mirror of the official openssl repository