]> git.ipfire.org Git - thirdparty/openssl.git/blob - providers/implementations/rands/drbg_ctr.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Stop raising ERR_R_MALLOC_FAILURE in most places
[thirdparty/openssl.git] / providers / implementations / rands / drbg_ctr.c
1 /*
2 * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdlib.h>
11 #include <string.h>
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include <openssl/aes.h>
16 #include <openssl/proverr.h>
17 #include "crypto/modes.h"
18 #include "internal/thread_once.h"
19 #include "prov/implementations.h"
20 #include "prov/providercommon.h"
21 #include "prov/provider_ctx.h"
22 #include "drbg_local.h"
23
24 static OSSL_FUNC_rand_newctx_fn drbg_ctr_new_wrapper;
25 static OSSL_FUNC_rand_freectx_fn drbg_ctr_free;
26 static OSSL_FUNC_rand_instantiate_fn drbg_ctr_instantiate_wrapper;
27 static OSSL_FUNC_rand_uninstantiate_fn drbg_ctr_uninstantiate_wrapper;
28 static OSSL_FUNC_rand_generate_fn drbg_ctr_generate_wrapper;
29 static OSSL_FUNC_rand_reseed_fn drbg_ctr_reseed_wrapper;
30 static OSSL_FUNC_rand_settable_ctx_params_fn drbg_ctr_settable_ctx_params;
31 static OSSL_FUNC_rand_set_ctx_params_fn drbg_ctr_set_ctx_params;
32 static OSSL_FUNC_rand_gettable_ctx_params_fn drbg_ctr_gettable_ctx_params;
33 static OSSL_FUNC_rand_get_ctx_params_fn drbg_ctr_get_ctx_params;
34 static OSSL_FUNC_rand_verify_zeroization_fn drbg_ctr_verify_zeroization;
35
36 /*
37 * The state of a DRBG AES-CTR.
38 */
39 typedef struct rand_drbg_ctr_st {
40 EVP_CIPHER_CTX *ctx_ecb;
41 EVP_CIPHER_CTX *ctx_ctr;
42 EVP_CIPHER_CTX *ctx_df;
43 EVP_CIPHER *cipher_ecb;
44 EVP_CIPHER *cipher_ctr;
45 size_t keylen;
46 int use_df;
47 unsigned char K[32];
48 unsigned char V[16];
49 /* Temporary block storage used by ctr_df */
50 unsigned char bltmp[16];
51 size_t bltmp_pos;
52 unsigned char KX[48];
53 } PROV_DRBG_CTR;
54
55 /*
56 * Implementation of NIST SP 800-90A CTR DRBG.
57 */
58 static void inc_128(PROV_DRBG_CTR *ctr)
59 {
60 unsigned char *p = &ctr->V[0];
61 u32 n = 16, c = 1;
62
63 do {
64 --n;
65 c += p[n];
66 p[n] = (u8)c;
67 c >>= 8;
68 } while (n);
69 }
70
71 static void ctr_XOR(PROV_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
72 {
73 size_t i, n;
74
75 if (in == NULL || inlen == 0)
76 return;
77
78 /*
79 * Any zero padding will have no effect on the result as we
80 * are XORing. So just process however much input we have.
81 */
82 n = inlen < ctr->keylen ? inlen : ctr->keylen;
83 for (i = 0; i < n; i++)
84 ctr->K[i] ^= in[i];
85 if (inlen <= ctr->keylen)
86 return;
87
88 n = inlen - ctr->keylen;
89 if (n > 16) {
90 /* Should never happen */
91 n = 16;
92 }
93 for (i = 0; i < n; i++)
94 ctr->V[i] ^= in[i + ctr->keylen];
95 }
96
97 /*
98 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
99 */
100 __owur static int ctr_BCC_block(PROV_DRBG_CTR *ctr, unsigned char *out,
101 const unsigned char *in, int len)
102 {
103 int i, outlen = AES_BLOCK_SIZE;
104
105 for (i = 0; i < len; i++)
106 out[i] ^= in[i];
107
108 if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, len)
109 || outlen != len)
110 return 0;
111 return 1;
112 }
113
114
115 /*
116 * Handle several BCC operations for as much data as we need for K and X
117 */
118 __owur static int ctr_BCC_blocks(PROV_DRBG_CTR *ctr, const unsigned char *in)
119 {
120 unsigned char in_tmp[48];
121 unsigned char num_of_blk = 2;
122
123 memcpy(in_tmp, in, 16);
124 memcpy(in_tmp + 16, in, 16);
125 if (ctr->keylen != 16) {
126 memcpy(in_tmp + 32, in, 16);
127 num_of_blk = 3;
128 }
129 return ctr_BCC_block(ctr, ctr->KX, in_tmp, AES_BLOCK_SIZE * num_of_blk);
130 }
131
132 /*
133 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
134 * see 10.3.1 stage 7.
135 */
136 __owur static int ctr_BCC_init(PROV_DRBG_CTR *ctr)
137 {
138 unsigned char bltmp[48] = {0};
139 unsigned char num_of_blk;
140
141 memset(ctr->KX, 0, 48);
142 num_of_blk = ctr->keylen == 16 ? 2 : 3;
143 bltmp[(AES_BLOCK_SIZE * 1) + 3] = 1;
144 bltmp[(AES_BLOCK_SIZE * 2) + 3] = 2;
145 return ctr_BCC_block(ctr, ctr->KX, bltmp, num_of_blk * AES_BLOCK_SIZE);
146 }
147
148 /*
149 * Process several blocks into BCC algorithm, some possibly partial
150 */
151 __owur static int ctr_BCC_update(PROV_DRBG_CTR *ctr,
152 const unsigned char *in, size_t inlen)
153 {
154 if (in == NULL || inlen == 0)
155 return 1;
156
157 /* If we have partial block handle it first */
158 if (ctr->bltmp_pos) {
159 size_t left = 16 - ctr->bltmp_pos;
160
161 /* If we now have a complete block process it */
162 if (inlen >= left) {
163 memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
164 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
165 return 0;
166 ctr->bltmp_pos = 0;
167 inlen -= left;
168 in += left;
169 }
170 }
171
172 /* Process zero or more complete blocks */
173 for (; inlen >= 16; in += 16, inlen -= 16) {
174 if (!ctr_BCC_blocks(ctr, in))
175 return 0;
176 }
177
178 /* Copy any remaining partial block to the temporary buffer */
179 if (inlen > 0) {
180 memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
181 ctr->bltmp_pos += inlen;
182 }
183 return 1;
184 }
185
186 __owur static int ctr_BCC_final(PROV_DRBG_CTR *ctr)
187 {
188 if (ctr->bltmp_pos) {
189 memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
190 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
191 return 0;
192 }
193 return 1;
194 }
195
196 __owur static int ctr_df(PROV_DRBG_CTR *ctr,
197 const unsigned char *in1, size_t in1len,
198 const unsigned char *in2, size_t in2len,
199 const unsigned char *in3, size_t in3len)
200 {
201 static unsigned char c80 = 0x80;
202 size_t inlen;
203 unsigned char *p = ctr->bltmp;
204 int outlen = AES_BLOCK_SIZE;
205
206 if (!ctr_BCC_init(ctr))
207 return 0;
208 if (in1 == NULL)
209 in1len = 0;
210 if (in2 == NULL)
211 in2len = 0;
212 if (in3 == NULL)
213 in3len = 0;
214 inlen = in1len + in2len + in3len;
215 /* Initialise L||N in temporary block */
216 *p++ = (inlen >> 24) & 0xff;
217 *p++ = (inlen >> 16) & 0xff;
218 *p++ = (inlen >> 8) & 0xff;
219 *p++ = inlen & 0xff;
220
221 /* NB keylen is at most 32 bytes */
222 *p++ = 0;
223 *p++ = 0;
224 *p++ = 0;
225 *p = (unsigned char)((ctr->keylen + 16) & 0xff);
226 ctr->bltmp_pos = 8;
227 if (!ctr_BCC_update(ctr, in1, in1len)
228 || !ctr_BCC_update(ctr, in2, in2len)
229 || !ctr_BCC_update(ctr, in3, in3len)
230 || !ctr_BCC_update(ctr, &c80, 1)
231 || !ctr_BCC_final(ctr))
232 return 0;
233 /* Set up key K */
234 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->KX, NULL, -1))
235 return 0;
236 /* X follows key K */
237 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX, &outlen, ctr->KX + ctr->keylen,
238 AES_BLOCK_SIZE)
239 || outlen != AES_BLOCK_SIZE)
240 return 0;
241 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 16, &outlen, ctr->KX,
242 AES_BLOCK_SIZE)
243 || outlen != AES_BLOCK_SIZE)
244 return 0;
245 if (ctr->keylen != 16)
246 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 32, &outlen,
247 ctr->KX + 16, AES_BLOCK_SIZE)
248 || outlen != AES_BLOCK_SIZE)
249 return 0;
250 return 1;
251 }
252
253 /*
254 * NB the no-df Update in SP800-90A specifies a constant input length
255 * of seedlen, however other uses of this algorithm pad the input with
256 * zeroes if necessary and have up to two parameters XORed together,
257 * so we handle both cases in this function instead.
258 */
259 __owur static int ctr_update(PROV_DRBG *drbg,
260 const unsigned char *in1, size_t in1len,
261 const unsigned char *in2, size_t in2len,
262 const unsigned char *nonce, size_t noncelen)
263 {
264 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
265 int outlen = AES_BLOCK_SIZE;
266 unsigned char V_tmp[48], out[48];
267 unsigned char len;
268
269 /* correct key is already set up. */
270 memcpy(V_tmp, ctr->V, 16);
271 inc_128(ctr);
272 memcpy(V_tmp + 16, ctr->V, 16);
273 if (ctr->keylen == 16) {
274 len = 32;
275 } else {
276 inc_128(ctr);
277 memcpy(V_tmp + 32, ctr->V, 16);
278 len = 48;
279 }
280 if (!EVP_CipherUpdate(ctr->ctx_ecb, out, &outlen, V_tmp, len)
281 || outlen != len)
282 return 0;
283 memcpy(ctr->K, out, ctr->keylen);
284 memcpy(ctr->V, out + ctr->keylen, 16);
285
286 if (ctr->use_df) {
287 /* If no input reuse existing derived value */
288 if (in1 != NULL || nonce != NULL || in2 != NULL)
289 if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
290 return 0;
291 /* If this a reuse input in1len != 0 */
292 if (in1len)
293 ctr_XOR(ctr, ctr->KX, drbg->seedlen);
294 } else {
295 ctr_XOR(ctr, in1, in1len);
296 ctr_XOR(ctr, in2, in2len);
297 }
298
299 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1)
300 || !EVP_CipherInit_ex(ctr->ctx_ctr, NULL, NULL, ctr->K, NULL, -1))
301 return 0;
302 return 1;
303 }
304
305 static int drbg_ctr_instantiate(PROV_DRBG *drbg,
306 const unsigned char *entropy, size_t entropylen,
307 const unsigned char *nonce, size_t noncelen,
308 const unsigned char *pers, size_t perslen)
309 {
310 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
311
312 if (entropy == NULL)
313 return 0;
314
315 memset(ctr->K, 0, sizeof(ctr->K));
316 memset(ctr->V, 0, sizeof(ctr->V));
317 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1))
318 return 0;
319
320 inc_128(ctr);
321 if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
322 return 0;
323 return 1;
324 }
325
326 static int drbg_ctr_instantiate_wrapper(void *vdrbg, unsigned int strength,
327 int prediction_resistance,
328 const unsigned char *pstr,
329 size_t pstr_len,
330 const OSSL_PARAM params[])
331 {
332 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
333
334 if (!ossl_prov_is_running() || !drbg_ctr_set_ctx_params(drbg, params))
335 return 0;
336 return ossl_prov_drbg_instantiate(drbg, strength, prediction_resistance,
337 pstr, pstr_len);
338 }
339
340 static int drbg_ctr_reseed(PROV_DRBG *drbg,
341 const unsigned char *entropy, size_t entropylen,
342 const unsigned char *adin, size_t adinlen)
343 {
344 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
345
346 if (entropy == NULL)
347 return 0;
348
349 inc_128(ctr);
350 if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
351 return 0;
352 return 1;
353 }
354
355 static int drbg_ctr_reseed_wrapper(void *vdrbg, int prediction_resistance,
356 const unsigned char *ent, size_t ent_len,
357 const unsigned char *adin, size_t adin_len)
358 {
359 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
360
361 return ossl_prov_drbg_reseed(drbg, prediction_resistance, ent, ent_len,
362 adin, adin_len);
363 }
364
365 static void ctr96_inc(unsigned char *counter)
366 {
367 u32 n = 12, c = 1;
368
369 do {
370 --n;
371 c += counter[n];
372 counter[n] = (u8)c;
373 c >>= 8;
374 } while (n);
375 }
376
377 static int drbg_ctr_generate(PROV_DRBG *drbg,
378 unsigned char *out, size_t outlen,
379 const unsigned char *adin, size_t adinlen)
380 {
381 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
382 unsigned int ctr32, blocks;
383 int outl, buflen;
384
385 if (adin != NULL && adinlen != 0) {
386 inc_128(ctr);
387
388 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
389 return 0;
390 /* This means we reuse derived value */
391 if (ctr->use_df) {
392 adin = NULL;
393 adinlen = 1;
394 }
395 } else {
396 adinlen = 0;
397 }
398
399 inc_128(ctr);
400
401 if (outlen == 0) {
402 inc_128(ctr);
403
404 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
405 return 0;
406 return 1;
407 }
408
409 memset(out, 0, outlen);
410
411 do {
412 if (!EVP_CipherInit_ex(ctr->ctx_ctr,
413 NULL, NULL, NULL, ctr->V, -1))
414 return 0;
415
416 /*-
417 * outlen has type size_t while EVP_CipherUpdate takes an
418 * int argument and thus cannot be guaranteed to process more
419 * than 2^31-1 bytes at a time. We process such huge generate
420 * requests in 2^30 byte chunks, which is the greatest multiple
421 * of AES block size lower than or equal to 2^31-1.
422 */
423 buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
424 blocks = (buflen + 15) / 16;
425
426 ctr32 = GETU32(ctr->V + 12) + blocks;
427 if (ctr32 < blocks) {
428 /* 32-bit counter overflow into V. */
429 if (ctr32 != 0) {
430 blocks -= ctr32;
431 buflen = blocks * 16;
432 ctr32 = 0;
433 }
434 ctr96_inc(ctr->V);
435 }
436 PUTU32(ctr->V + 12, ctr32);
437
438 if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
439 || outl != buflen)
440 return 0;
441
442 out += buflen;
443 outlen -= buflen;
444 } while (outlen);
445
446 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
447 return 0;
448 return 1;
449 }
450
451 static int drbg_ctr_generate_wrapper
452 (void *vdrbg, unsigned char *out, size_t outlen,
453 unsigned int strength, int prediction_resistance,
454 const unsigned char *adin, size_t adin_len)
455 {
456 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
457
458 return ossl_prov_drbg_generate(drbg, out, outlen, strength,
459 prediction_resistance, adin, adin_len);
460 }
461
462 static int drbg_ctr_uninstantiate(PROV_DRBG *drbg)
463 {
464 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
465
466 OPENSSL_cleanse(ctr->K, sizeof(ctr->K));
467 OPENSSL_cleanse(ctr->V, sizeof(ctr->V));
468 OPENSSL_cleanse(ctr->bltmp, sizeof(ctr->bltmp));
469 OPENSSL_cleanse(ctr->KX, sizeof(ctr->KX));
470 ctr->bltmp_pos = 0;
471 return ossl_prov_drbg_uninstantiate(drbg);
472 }
473
474 static int drbg_ctr_uninstantiate_wrapper(void *vdrbg)
475 {
476 return drbg_ctr_uninstantiate((PROV_DRBG *)vdrbg);
477 }
478
479 static int drbg_ctr_verify_zeroization(void *vdrbg)
480 {
481 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
482 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
483
484 PROV_DRBG_VERYIFY_ZEROIZATION(ctr->K);
485 PROV_DRBG_VERYIFY_ZEROIZATION(ctr->V);
486 PROV_DRBG_VERYIFY_ZEROIZATION(ctr->bltmp);
487 PROV_DRBG_VERYIFY_ZEROIZATION(ctr->KX);
488 if (ctr->bltmp_pos != 0)
489 return 0;
490 return 1;
491 }
492
493 static int drbg_ctr_init_lengths(PROV_DRBG *drbg)
494 {
495 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
496 int res = 1;
497
498 /* Maximum number of bits per request = 2^19 = 2^16 bytes */
499 drbg->max_request = 1 << 16;
500 if (ctr->use_df) {
501 drbg->min_entropylen = 0;
502 drbg->max_entropylen = DRBG_MAX_LENGTH;
503 drbg->min_noncelen = 0;
504 drbg->max_noncelen = DRBG_MAX_LENGTH;
505 drbg->max_perslen = DRBG_MAX_LENGTH;
506 drbg->max_adinlen = DRBG_MAX_LENGTH;
507
508 if (ctr->keylen > 0) {
509 drbg->min_entropylen = ctr->keylen;
510 drbg->min_noncelen = drbg->min_entropylen / 2;
511 }
512 } else {
513 const size_t len = ctr->keylen > 0 ? drbg->seedlen : DRBG_MAX_LENGTH;
514
515 drbg->min_entropylen = len;
516 drbg->max_entropylen = len;
517 /* Nonce not used */
518 drbg->min_noncelen = 0;
519 drbg->max_noncelen = 0;
520 drbg->max_perslen = len;
521 drbg->max_adinlen = len;
522 }
523 return res;
524 }
525
526 static int drbg_ctr_init(PROV_DRBG *drbg)
527 {
528 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
529 size_t keylen;
530
531 if (ctr->cipher_ctr == NULL) {
532 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CIPHER);
533 return 0;
534 }
535 ctr->keylen = keylen = EVP_CIPHER_get_key_length(ctr->cipher_ctr);
536 if (ctr->ctx_ecb == NULL)
537 ctr->ctx_ecb = EVP_CIPHER_CTX_new();
538 if (ctr->ctx_ctr == NULL)
539 ctr->ctx_ctr = EVP_CIPHER_CTX_new();
540 if (ctr->ctx_ecb == NULL || ctr->ctx_ctr == NULL) {
541 ERR_raise(ERR_LIB_PROV, ERR_R_EVP_LIB);
542 goto err;
543 }
544
545 if (!EVP_CipherInit_ex(ctr->ctx_ecb,
546 ctr->cipher_ecb, NULL, NULL, NULL, 1)
547 || !EVP_CipherInit_ex(ctr->ctx_ctr,
548 ctr->cipher_ctr, NULL, NULL, NULL, 1)) {
549 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_INITIALISE_CIPHERS);
550 goto err;
551 }
552
553 drbg->strength = keylen * 8;
554 drbg->seedlen = keylen + 16;
555
556 if (ctr->use_df) {
557 /* df initialisation */
558 static const unsigned char df_key[32] = {
559 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
560 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
561 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
562 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
563 };
564
565 if (ctr->ctx_df == NULL)
566 ctr->ctx_df = EVP_CIPHER_CTX_new();
567 if (ctr->ctx_df == NULL) {
568 ERR_raise(ERR_LIB_PROV, ERR_R_EVP_LIB);
569 goto err;
570 }
571 /* Set key schedule for df_key */
572 if (!EVP_CipherInit_ex(ctr->ctx_df,
573 ctr->cipher_ecb, NULL, df_key, NULL, 1)) {
574 ERR_raise(ERR_LIB_PROV, PROV_R_DERIVATION_FUNCTION_INIT_FAILED);
575 goto err;
576 }
577 }
578 return drbg_ctr_init_lengths(drbg);
579
580 err:
581 EVP_CIPHER_CTX_free(ctr->ctx_ecb);
582 EVP_CIPHER_CTX_free(ctr->ctx_ctr);
583 ctr->ctx_ecb = ctr->ctx_ctr = NULL;
584 return 0;
585 }
586
587 static int drbg_ctr_new(PROV_DRBG *drbg)
588 {
589 PROV_DRBG_CTR *ctr;
590
591 ctr = OPENSSL_secure_zalloc(sizeof(*ctr));
592 if (ctr == NULL)
593 return 0;
594
595 ctr->use_df = 1;
596 drbg->data = ctr;
597 return drbg_ctr_init_lengths(drbg);
598 }
599
600 static void *drbg_ctr_new_wrapper(void *provctx, void *parent,
601 const OSSL_DISPATCH *parent_dispatch)
602 {
603 return ossl_rand_drbg_new(provctx, parent, parent_dispatch, &drbg_ctr_new,
604 &drbg_ctr_instantiate, &drbg_ctr_uninstantiate,
605 &drbg_ctr_reseed, &drbg_ctr_generate);
606 }
607
608 static void drbg_ctr_free(void *vdrbg)
609 {
610 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
611 PROV_DRBG_CTR *ctr;
612
613 if (drbg != NULL && (ctr = (PROV_DRBG_CTR *)drbg->data) != NULL) {
614 EVP_CIPHER_CTX_free(ctr->ctx_ecb);
615 EVP_CIPHER_CTX_free(ctr->ctx_ctr);
616 EVP_CIPHER_CTX_free(ctr->ctx_df);
617 EVP_CIPHER_free(ctr->cipher_ecb);
618 EVP_CIPHER_free(ctr->cipher_ctr);
619
620 OPENSSL_secure_clear_free(ctr, sizeof(*ctr));
621 }
622 ossl_rand_drbg_free(drbg);
623 }
624
625 static int drbg_ctr_get_ctx_params(void *vdrbg, OSSL_PARAM params[])
626 {
627 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
628 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
629 OSSL_PARAM *p;
630
631 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_USE_DF);
632 if (p != NULL && !OSSL_PARAM_set_int(p, ctr->use_df))
633 return 0;
634
635 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_CIPHER);
636 if (p != NULL) {
637 if (ctr->cipher_ctr == NULL
638 || !OSSL_PARAM_set_utf8_string(p,
639 EVP_CIPHER_get0_name(ctr->cipher_ctr)))
640 return 0;
641 }
642
643 return ossl_drbg_get_ctx_params(drbg, params);
644 }
645
646 static const OSSL_PARAM *drbg_ctr_gettable_ctx_params(ossl_unused void *vctx,
647 ossl_unused void *provctx)
648 {
649 static const OSSL_PARAM known_gettable_ctx_params[] = {
650 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0),
651 OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL),
652 OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON,
653 OSSL_PARAM_END
654 };
655 return known_gettable_ctx_params;
656 }
657
658 static int drbg_ctr_set_ctx_params(void *vctx, const OSSL_PARAM params[])
659 {
660 PROV_DRBG *ctx = (PROV_DRBG *)vctx;
661 PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)ctx->data;
662 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
663 const OSSL_PARAM *p;
664 char *ecb;
665 const char *propquery = NULL;
666 int i, cipher_init = 0;
667
668 if ((p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_USE_DF)) != NULL
669 && OSSL_PARAM_get_int(p, &i)) {
670 /* FIPS errors out in the drbg_ctr_init() call later */
671 ctr->use_df = i != 0;
672 cipher_init = 1;
673 }
674
675 if ((p = OSSL_PARAM_locate_const(params,
676 OSSL_DRBG_PARAM_PROPERTIES)) != NULL) {
677 if (p->data_type != OSSL_PARAM_UTF8_STRING)
678 return 0;
679 propquery = (const char *)p->data;
680 }
681
682 if ((p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_CIPHER)) != NULL) {
683 const char *base = (const char *)p->data;
684 size_t ctr_str_len = sizeof("CTR") - 1;
685 size_t ecb_str_len = sizeof("ECB") - 1;
686
687 if (p->data_type != OSSL_PARAM_UTF8_STRING
688 || p->data_size < ctr_str_len)
689 return 0;
690 if (OPENSSL_strcasecmp("CTR", base + p->data_size - ctr_str_len) != 0) {
691 ERR_raise(ERR_LIB_PROV, PROV_R_REQUIRE_CTR_MODE_CIPHER);
692 return 0;
693 }
694 if ((ecb = OPENSSL_strndup(base, p->data_size)) == NULL)
695 return 0;
696 strcpy(ecb + p->data_size - ecb_str_len, "ECB");
697 EVP_CIPHER_free(ctr->cipher_ecb);
698 EVP_CIPHER_free(ctr->cipher_ctr);
699 ctr->cipher_ctr = EVP_CIPHER_fetch(libctx, base, propquery);
700 ctr->cipher_ecb = EVP_CIPHER_fetch(libctx, ecb, propquery);
701 OPENSSL_free(ecb);
702 if (ctr->cipher_ctr == NULL || ctr->cipher_ecb == NULL) {
703 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_FIND_CIPHERS);
704 return 0;
705 }
706 cipher_init = 1;
707 }
708
709 if (cipher_init && !drbg_ctr_init(ctx))
710 return 0;
711
712 return ossl_drbg_set_ctx_params(ctx, params);
713 }
714
715 static const OSSL_PARAM *drbg_ctr_settable_ctx_params(ossl_unused void *vctx,
716 ossl_unused void *provctx)
717 {
718 static const OSSL_PARAM known_settable_ctx_params[] = {
719 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0),
720 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0),
721 OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL),
722 OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON,
723 OSSL_PARAM_END
724 };
725 return known_settable_ctx_params;
726 }
727
728 const OSSL_DISPATCH ossl_drbg_ctr_functions[] = {
729 { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))drbg_ctr_new_wrapper },
730 { OSSL_FUNC_RAND_FREECTX, (void(*)(void))drbg_ctr_free },
731 { OSSL_FUNC_RAND_INSTANTIATE,
732 (void(*)(void))drbg_ctr_instantiate_wrapper },
733 { OSSL_FUNC_RAND_UNINSTANTIATE,
734 (void(*)(void))drbg_ctr_uninstantiate_wrapper },
735 { OSSL_FUNC_RAND_GENERATE, (void(*)(void))drbg_ctr_generate_wrapper },
736 { OSSL_FUNC_RAND_RESEED, (void(*)(void))drbg_ctr_reseed_wrapper },
737 { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))ossl_drbg_enable_locking },
738 { OSSL_FUNC_RAND_LOCK, (void(*)(void))ossl_drbg_lock },
739 { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))ossl_drbg_unlock },
740 { OSSL_FUNC_RAND_SETTABLE_CTX_PARAMS,
741 (void(*)(void))drbg_ctr_settable_ctx_params },
742 { OSSL_FUNC_RAND_SET_CTX_PARAMS, (void(*)(void))drbg_ctr_set_ctx_params },
743 { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
744 (void(*)(void))drbg_ctr_gettable_ctx_params },
745 { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))drbg_ctr_get_ctx_params },
746 { OSSL_FUNC_RAND_VERIFY_ZEROIZATION,
747 (void(*)(void))drbg_ctr_verify_zeroization },
748 { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))ossl_drbg_get_seed },
749 { OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))ossl_drbg_clear_seed },
750 { 0, NULL }
751 };
A mirror of the official openssl repository