[thirdparty/openssl.git] / crypto / rand / drbg_ctr.c

/*
 * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdlib.h>
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include "internal/thread_once.h"
#include "internal/thread_once.h"
#include "rand_lcl.h"
/*
 * Implementation of NIST SP 800-90A CTR DRBG.
 */

static void inc_128(RAND_DRBG_CTR *ctr)
{
    int i;
    unsigned char c;
    unsigned char *p = &ctr->V[15];

    for (i = 0; i < 16; i++, p--) {
        c = *p;
        c++;
        *p = c;
        if (c != 0) {
            /* If we didn't wrap around, we're done. */
            break;
        }
    }
}

static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
{
    size_t i, n;

    if (in == NULL || inlen == 0)
        return;

    /*
     * Any zero padding will have no effect on the result as we
     * are XORing. So just process however much input we have.
     */
    n = inlen < ctr->keylen ? inlen : ctr->keylen;
    for (i = 0; i < n; i++)
        ctr->K[i] ^= in[i];
    if (inlen <= ctr->keylen)
        return;

    n = inlen - ctr->keylen;
    if (n > 16) {
        /* Should never happen */
        n = 16;
    }
    for (i = 0; i < n; i++)
        ctr->V[i] ^= in[i + ctr->keylen];
}

/*
 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
 */
__owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
                                const unsigned char *in)
{
    int i, outlen = AES_BLOCK_SIZE;

    for (i = 0; i < 16; i++)
        out[i] ^= in[i];

    if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, AES_BLOCK_SIZE)
        || outlen != AES_BLOCK_SIZE)
        return 0;
    return 1;
}


/*
 * Handle several BCC operations for as much data as we need for K and X
 */
__owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
{
    if (!ctr_BCC_block(ctr, ctr->KX, in)
        || !ctr_BCC_block(ctr, ctr->KX + 16, in))
        return 0;
    if (ctr->keylen != 16 && !ctr_BCC_block(ctr, ctr->KX + 32, in))
        return 0;
    return 1;
}

/*
 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
 * see 10.3.1 stage 7.
 */
__owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
{
    memset(ctr->KX, 0, 48);
    memset(ctr->bltmp, 0, 16);
    if (!ctr_BCC_block(ctr, ctr->KX, ctr->bltmp))
        return 0;
    ctr->bltmp[3] = 1;
    if (!ctr_BCC_block(ctr, ctr->KX + 16, ctr->bltmp))
        return 0;
    if (ctr->keylen != 16) {
        ctr->bltmp[3] = 2;
        if (!ctr_BCC_block(ctr, ctr->KX + 32, ctr->bltmp))
            return 0;
    }
    return 1;
}

/*
 * Process several blocks into BCC algorithm, some possibly partial
 */
__owur static int ctr_BCC_update(RAND_DRBG_CTR *ctr,
                                 const unsigned char *in, size_t inlen)
{
    if (in == NULL || inlen == 0)
        return 1;

    /* If we have partial block handle it first */
    if (ctr->bltmp_pos) {
        size_t left = 16 - ctr->bltmp_pos;

        /* If we now have a complete block process it */
        if (inlen >= left) {
            memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
            if (!ctr_BCC_blocks(ctr, ctr->bltmp))
                return 0;
            ctr->bltmp_pos = 0;
            inlen -= left;
            in += left;
        }
    }

    /* Process zero or more complete blocks */
    for (; inlen >= 16; in += 16, inlen -= 16) {
        if (!ctr_BCC_blocks(ctr, in))
            return 0;
    }

    /* Copy any remaining partial block to the temporary buffer */
    if (inlen > 0) {
        memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
        ctr->bltmp_pos += inlen;
    }
    return 1;
}

__owur static int ctr_BCC_final(RAND_DRBG_CTR *ctr)
{
    if (ctr->bltmp_pos) {
        memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
        if (!ctr_BCC_blocks(ctr, ctr->bltmp))
            return 0;
    }
    return 1;
}

__owur static int ctr_df(RAND_DRBG_CTR *ctr,
                         const unsigned char *in1, size_t in1len,
                         const unsigned char *in2, size_t in2len,
                         const unsigned char *in3, size_t in3len)
{
    static unsigned char c80 = 0x80;
    size_t inlen;
    unsigned char *p = ctr->bltmp;
    int outlen = AES_BLOCK_SIZE;

    if (!ctr_BCC_init(ctr))
        return 0;
    if (in1 == NULL)
        in1len = 0;
    if (in2 == NULL)
        in2len = 0;
    if (in3 == NULL)
        in3len = 0;
    inlen = in1len + in2len + in3len;
    /* Initialise L||N in temporary block */
    *p++ = (inlen >> 24) & 0xff;
    *p++ = (inlen >> 16) & 0xff;
    *p++ = (inlen >> 8) & 0xff;
    *p++ = inlen & 0xff;

    /* NB keylen is at most 32 bytes */
    *p++ = 0;
    *p++ = 0;
    *p++ = 0;
    *p = (unsigned char)((ctr->keylen + 16) & 0xff);
    ctr->bltmp_pos = 8;
    if (!ctr_BCC_update(ctr, in1, in1len)
        || !ctr_BCC_update(ctr, in2, in2len)
        || !ctr_BCC_update(ctr, in3, in3len)
        || !ctr_BCC_update(ctr, &c80, 1)
        || !ctr_BCC_final(ctr))
        return 0;
    /* Set up key K */
    if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->KX, NULL, 1))
        return 0;
    /* X follows key K */
    if (!EVP_CipherUpdate(ctr->ctx, ctr->KX, &outlen, ctr->KX + ctr->keylen,
                          AES_BLOCK_SIZE)
        || outlen != AES_BLOCK_SIZE)
        return 0;
    if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 16, &outlen, ctr->KX,
                          AES_BLOCK_SIZE)
        || outlen != AES_BLOCK_SIZE)
        return 0;
    if (ctr->keylen != 16)
        if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 32, &outlen, ctr->KX + 16,
                              AES_BLOCK_SIZE)
            || outlen != AES_BLOCK_SIZE)
            return 0;
    return 1;
}

/*
 * NB the no-df Update in SP800-90A specifies a constant input length
 * of seedlen, however other uses of this algorithm pad the input with
 * zeroes if necessary and have up to two parameters XORed together,
 * so we handle both cases in this function instead.
 */
__owur static int ctr_update(RAND_DRBG *drbg,
                             const unsigned char *in1, size_t in1len,
                             const unsigned char *in2, size_t in2len,
                             const unsigned char *nonce, size_t noncelen)
{
    RAND_DRBG_CTR *ctr = &drbg->data.ctr;
    int outlen = AES_BLOCK_SIZE;

    /* correct key is already set up. */
    inc_128(ctr);
    if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outlen, ctr->V, AES_BLOCK_SIZE)
        || outlen != AES_BLOCK_SIZE)
        return 0;

    /* If keylen longer than 128 bits need extra encrypt */
    if (ctr->keylen != 16) {
        inc_128(ctr);
        if (!EVP_CipherUpdate(ctr->ctx, ctr->K+16, &outlen, ctr->V,
                              AES_BLOCK_SIZE)
            || outlen != AES_BLOCK_SIZE)
            return 0;
    }
    inc_128(ctr);
    if (!EVP_CipherUpdate(ctr->ctx, ctr->V, &outlen, ctr->V, AES_BLOCK_SIZE)
        || outlen != AES_BLOCK_SIZE)
        return 0;

    /* If 192 bit key part of V is on end of K */
    if (ctr->keylen == 24) {
        memcpy(ctr->V + 8, ctr->V, 8);
        memcpy(ctr->V, ctr->K + 24, 8);
    }

    if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
        /* If no input reuse existing derived value */
        if (in1 != NULL || nonce != NULL || in2 != NULL)
            if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
                return 0;
        /* If this a reuse input in1len != 0 */
        if (in1len)
            ctr_XOR(ctr, ctr->KX, drbg->seedlen);
    } else {
        ctr_XOR(ctr, in1, in1len);
        ctr_XOR(ctr, in2, in2len);
    }

    if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
        return 0;
    return 1;
}

__owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
                                       const unsigned char *entropy, size_t entropylen,
                                       const unsigned char *nonce, size_t noncelen,
                                       const unsigned char *pers, size_t perslen)
{
    RAND_DRBG_CTR *ctr = &drbg->data.ctr;

    if (entropy == NULL)
        return 0;

    memset(ctr->K, 0, sizeof(ctr->K));
    memset(ctr->V, 0, sizeof(ctr->V));
    if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
        return 0;
    if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
        return 0;
    return 1;
}

__owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
                                  const unsigned char *entropy, size_t entropylen,
                                  const unsigned char *adin, size_t adinlen)
{
    if (entropy == NULL)
        return 0;
    if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
        return 0;
    return 1;
}

__owur static int drbg_ctr_generate(RAND_DRBG *drbg,
                                    unsigned char *out, size_t outlen,
                                    const unsigned char *adin, size_t adinlen)
{
    RAND_DRBG_CTR *ctr = &drbg->data.ctr;

    if (adin != NULL && adinlen != 0) {
        if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
            return 0;
        /* This means we reuse derived value */
        if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
            adin = NULL;
            adinlen = 1;
        }
    } else {
        adinlen = 0;
    }

    for ( ; ; ) {
        int outl = AES_BLOCK_SIZE;

        inc_128(ctr);
        if (outlen < 16) {
            /* Use K as temp space as it will be updated */
            if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outl, ctr->V,
                                  AES_BLOCK_SIZE)
                || outl != AES_BLOCK_SIZE)
                return 0;
            memcpy(out, ctr->K, outlen);
            break;
        }
        if (!EVP_CipherUpdate(ctr->ctx, out, &outl, ctr->V, AES_BLOCK_SIZE)
            || outl != AES_BLOCK_SIZE)
            return 0;
        out += 16;
        outlen -= 16;
        if (outlen == 0)
            break;
    }

    if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
        return 0;
    return 1;
}

static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
{
    EVP_CIPHER_CTX_free(drbg->data.ctr.ctx);
    EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
    OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
    return 1;
}

static RAND_DRBG_METHOD drbg_ctr_meth = {
    drbg_ctr_instantiate,
    drbg_ctr_reseed,
    drbg_ctr_generate,
    drbg_ctr_uninstantiate
};

int drbg_ctr_init(RAND_DRBG *drbg)
{
    RAND_DRBG_CTR *ctr = &drbg->data.ctr;
    size_t keylen;

    switch (drbg->type) {
    default:
        /* This can't happen, but silence the compiler warning. */
        return 0;
    case NID_aes_128_ctr:
        keylen = 16;
        ctr->cipher = EVP_aes_128_ecb();
        break;
    case NID_aes_192_ctr:
        keylen = 24;
        ctr->cipher = EVP_aes_192_ecb();
        break;
    case NID_aes_256_ctr:
        keylen = 32;
        ctr->cipher = EVP_aes_256_ecb();
        break;
    }

    drbg->meth = &drbg_ctr_meth;

    ctr->keylen = keylen;
    if (ctr->ctx == NULL)
        ctr->ctx = EVP_CIPHER_CTX_new();
    if (ctr->ctx == NULL)
        return 0;
    drbg->strength = keylen * 8;
    drbg->seedlen = keylen + 16;

    if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
        /* df initialisation */
        static const unsigned char df_key[32] = {
            0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
            0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
            0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
            0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
        };

        if (ctr->ctx_df == NULL)
            ctr->ctx_df = EVP_CIPHER_CTX_new();
        if (ctr->ctx_df == NULL)
            return 0;
        /* Set key schedule for df_key */
        if (!EVP_CipherInit_ex(ctr->ctx_df, ctr->cipher, NULL, df_key, NULL, 1))
            return 0;

        drbg->min_entropylen = ctr->keylen;
        drbg->max_entropylen = DRBG_MINMAX_FACTOR * drbg->min_entropylen;
        drbg->min_noncelen = drbg->min_entropylen / 2;
        drbg->max_noncelen = DRBG_MINMAX_FACTOR * drbg->min_noncelen;
        drbg->max_perslen = DRBG_MAX_LENGTH;
        drbg->max_adinlen = DRBG_MAX_LENGTH;
    } else {
        drbg->min_entropylen = drbg->seedlen;
        drbg->max_entropylen = drbg->seedlen;
        /* Nonce not used */
        drbg->min_noncelen = 0;
        drbg->max_noncelen = 0;
        drbg->max_perslen = drbg->seedlen;
        drbg->max_adinlen = drbg->seedlen;
    }

    drbg->max_request = 1 << 16;

    return 1;
}
Commit	Line	Data
12fb8c3d	1	/*
3c7d0945	2	* Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
12fb8c3d RS	3	*
	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <stdlib.h>
	11	#include <string.h>
	12	#include <openssl/crypto.h>
	13	#include <openssl/err.h>
	14	#include <openssl/rand.h>
12fb8c3d	15	#include "internal/thread_once.h"
6decf943 DMSP	16	#include "internal/thread_once.h"
6decf943 DMSP	17	#include "rand_lcl.h"
12fb8c3d	18	/*
75e2c877	19	* Implementation of NIST SP 800-90A CTR DRBG.
12fb8c3d RS	20	*/
12fb8c3d RS	21
75e2c877	22	static void inc_128(RAND_DRBG_CTR *ctr)
12fb8c3d RS	23	{
	24	int i;
	25	unsigned char c;
75e2c877	26	unsigned char *p = &ctr->V[15];
12fb8c3d RS	27
	28	for (i = 0; i < 16; i++, p--) {
	29	c = *p;
	30	c++;
	31	*p = c;
	32	if (c != 0) {
	33	/* If we didn't wrap around, we're done. */
	34	break;
	35	}
	36	}
	37	}
	38
75e2c877	39	static void ctr_XOR(RAND_DRBG_CTR ctr, const unsigned char in, size_t inlen)
12fb8c3d RS	40	{
	41	size_t i, n;
	42
	43	if (in == NULL \|\| inlen == 0)
	44	return;
	45
	46	/*
	47	* Any zero padding will have no effect on the result as we
	48	* are XORing. So just process however much input we have.
	49	*/
75e2c877	50	n = inlen < ctr->keylen ? inlen : ctr->keylen;
12fb8c3d	51	for (i = 0; i < n; i++)
75e2c877 RS	52	ctr->K[i] ^= in[i];
75e2c877 RS	53	if (inlen <= ctr->keylen)
12fb8c3d RS	54	return;
12fb8c3d RS	55
75e2c877	56	n = inlen - ctr->keylen;
12fb8c3d RS	57	if (n > 16) {
	58	/* Should never happen */
	59	n = 16;
	60	}
b8a437ff	61	for (i = 0; i < n; i++)
75e2c877	62	ctr->V[i] ^= in[i + ctr->keylen];
12fb8c3d RS	63	}
	64
	65	/*
	66	* Process a complete block using BCC algorithm of SP 800-90A 10.3.3
	67	*/
dbdcc04f KR	68	__owur static int ctr_BCC_block(RAND_DRBG_CTR ctr, unsigned char out,
dbdcc04f KR	69	const unsigned char *in)
12fb8c3d	70	{
dbdcc04f	71	int i, outlen = AES_BLOCK_SIZE;
12fb8c3d RS	72
	73	for (i = 0; i < 16; i++)
	74	out[i] ^= in[i];
dbdcc04f KR	75
	76	if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, AES_BLOCK_SIZE)
	77	\|\| outlen != AES_BLOCK_SIZE)
	78	return 0;
	79	return 1;
12fb8c3d RS	80	}
	81
	82
	83	/*
	84	* Handle several BCC operations for as much data as we need for K and X
	85	*/
dbdcc04f	86	__owur static int ctr_BCC_blocks(RAND_DRBG_CTR ctr, const unsigned char in)
12fb8c3d	87	{
dbdcc04f KR	88	if (!ctr_BCC_block(ctr, ctr->KX, in)
	89	\|\| !ctr_BCC_block(ctr, ctr->KX + 16, in))
	90	return 0;
	91	if (ctr->keylen != 16 && !ctr_BCC_block(ctr, ctr->KX + 32, in))
	92	return 0;
	93	return 1;
12fb8c3d RS	94	}
	95
	96	/*
	97	* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
	98	* see 10.3.1 stage 7.
	99	*/
dbdcc04f	100	__owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
12fb8c3d	101	{
75e2c877 RS	102	memset(ctr->KX, 0, 48);
75e2c877 RS	103	memset(ctr->bltmp, 0, 16);
dbdcc04f KR	104	if (!ctr_BCC_block(ctr, ctr->KX, ctr->bltmp))
dbdcc04f KR	105	return 0;
75e2c877	106	ctr->bltmp[3] = 1;
dbdcc04f KR	107	if (!ctr_BCC_block(ctr, ctr->KX + 16, ctr->bltmp))
dbdcc04f KR	108	return 0;
75e2c877 RS	109	if (ctr->keylen != 16) {
75e2c877 RS	110	ctr->bltmp[3] = 2;
dbdcc04f KR	111	if (!ctr_BCC_block(ctr, ctr->KX + 32, ctr->bltmp))
dbdcc04f KR	112	return 0;
12fb8c3d	113	}
dbdcc04f	114	return 1;
12fb8c3d RS	115	}
	116
	117	/*
	118	* Process several blocks into BCC algorithm, some possibly partial
	119	*/
dbdcc04f KR	120	__owur static int ctr_BCC_update(RAND_DRBG_CTR *ctr,
dbdcc04f KR	121	const unsigned char *in, size_t inlen)
12fb8c3d RS	122	{
12fb8c3d RS	123	if (in == NULL \|\| inlen == 0)
dbdcc04f	124	return 1;
12fb8c3d RS	125
12fb8c3d RS	126	/* If we have partial block handle it first */
75e2c877 RS	127	if (ctr->bltmp_pos) {
75e2c877 RS	128	size_t left = 16 - ctr->bltmp_pos;
12fb8c3d RS	129
	130	/* If we now have a complete block process it */
	131	if (inlen >= left) {
75e2c877	132	memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
dbdcc04f KR	133	if (!ctr_BCC_blocks(ctr, ctr->bltmp))
dbdcc04f KR	134	return 0;
75e2c877	135	ctr->bltmp_pos = 0;
12fb8c3d RS	136	inlen -= left;
	137	in += left;
	138	}
	139	}
	140
	141	/* Process zero or more complete blocks */
	142	for (; inlen >= 16; in += 16, inlen -= 16) {
dbdcc04f KR	143	if (!ctr_BCC_blocks(ctr, in))
dbdcc04f KR	144	return 0;
12fb8c3d RS	145	}
	146
	147	/* Copy any remaining partial block to the temporary buffer */
	148	if (inlen > 0) {
75e2c877 RS	149	memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
75e2c877 RS	150	ctr->bltmp_pos += inlen;
12fb8c3d	151	}
dbdcc04f	152	return 1;
12fb8c3d RS	153	}
12fb8c3d RS	154
dbdcc04f	155	__owur static int ctr_BCC_final(RAND_DRBG_CTR *ctr)
12fb8c3d	156	{
75e2c877 RS	157	if (ctr->bltmp_pos) {
75e2c877 RS	158	memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
dbdcc04f KR	159	if (!ctr_BCC_blocks(ctr, ctr->bltmp))
dbdcc04f KR	160	return 0;
12fb8c3d	161	}
dbdcc04f	162	return 1;
12fb8c3d RS	163	}
12fb8c3d RS	164
dbdcc04f KR	165	__owur static int ctr_df(RAND_DRBG_CTR *ctr,
	166	const unsigned char *in1, size_t in1len,
	167	const unsigned char *in2, size_t in2len,
	168	const unsigned char *in3, size_t in3len)
12fb8c3d RS	169	{
	170	static unsigned char c80 = 0x80;
	171	size_t inlen;
75e2c877	172	unsigned char *p = ctr->bltmp;
dbdcc04f	173	int outlen = AES_BLOCK_SIZE;
12fb8c3d	174
dbdcc04f KR	175	if (!ctr_BCC_init(ctr))
dbdcc04f KR	176	return 0;
12fb8c3d RS	177	if (in1 == NULL)
	178	in1len = 0;
	179	if (in2 == NULL)
	180	in2len = 0;
	181	if (in3 == NULL)
	182	in3len = 0;
	183	inlen = in1len + in2len + in3len;
	184	/* Initialise L\|\|N in temporary block */
	185	*p++ = (inlen >> 24) & 0xff;
	186	*p++ = (inlen >> 16) & 0xff;
	187	*p++ = (inlen >> 8) & 0xff;
	188	*p++ = inlen & 0xff;
	189
	190	/* NB keylen is at most 32 bytes */
	191	*p++ = 0;
	192	*p++ = 0;
	193	*p++ = 0;
75e2c877 RS	194	*p = (unsigned char)((ctr->keylen + 16) & 0xff);
75e2c877 RS	195	ctr->bltmp_pos = 8;
dbdcc04f KR	196	if (!ctr_BCC_update(ctr, in1, in1len)
	197	\|\| !ctr_BCC_update(ctr, in2, in2len)
	198	\|\| !ctr_BCC_update(ctr, in3, in3len)
	199	\|\| !ctr_BCC_update(ctr, &c80, 1)
	200	\|\| !ctr_BCC_final(ctr))
	201	return 0;
12fb8c3d	202	/* Set up key K */
dbdcc04f KR	203	if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->KX, NULL, 1))
dbdcc04f KR	204	return 0;
12fb8c3d	205	/* X follows key K */
dbdcc04f KR	206	if (!EVP_CipherUpdate(ctr->ctx, ctr->KX, &outlen, ctr->KX + ctr->keylen,
	207	AES_BLOCK_SIZE)
	208	\|\| outlen != AES_BLOCK_SIZE)
	209	return 0;
	210	if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 16, &outlen, ctr->KX,
	211	AES_BLOCK_SIZE)
	212	\|\| outlen != AES_BLOCK_SIZE)
	213	return 0;
75e2c877	214	if (ctr->keylen != 16)
dbdcc04f KR	215	if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 32, &outlen, ctr->KX + 16,
	216	AES_BLOCK_SIZE)
	217	\|\| outlen != AES_BLOCK_SIZE)
	218	return 0;
	219	return 1;
12fb8c3d RS	220	}
	221
	222	/*
	223	* NB the no-df Update in SP800-90A specifies a constant input length
	224	* of seedlen, however other uses of this algorithm pad the input with
	225	* zeroes if necessary and have up to two parameters XORed together,
75e2c877	226	* so we handle both cases in this function instead.
12fb8c3d	227	*/
dbdcc04f KR	228	__owur static int ctr_update(RAND_DRBG *drbg,
	229	const unsigned char *in1, size_t in1len,
	230	const unsigned char *in2, size_t in2len,
	231	const unsigned char *nonce, size_t noncelen)
12fb8c3d	232	{
8212d505	233	RAND_DRBG_CTR *ctr = &drbg->data.ctr;
dbdcc04f	234	int outlen = AES_BLOCK_SIZE;
12fb8c3d	235
dbdcc04f	236	/* correct key is already set up. */
75e2c877	237	inc_128(ctr);
dbdcc04f KR	238	if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outlen, ctr->V, AES_BLOCK_SIZE)
	239	\|\| outlen != AES_BLOCK_SIZE)
	240	return 0;
12fb8c3d RS	241
12fb8c3d RS	242	/* If keylen longer than 128 bits need extra encrypt */
75e2c877 RS	243	if (ctr->keylen != 16) {
75e2c877 RS	244	inc_128(ctr);
dbdcc04f KR	245	if (!EVP_CipherUpdate(ctr->ctx, ctr->K+16, &outlen, ctr->V,
	246	AES_BLOCK_SIZE)
	247	\|\| outlen != AES_BLOCK_SIZE)
	248	return 0;
12fb8c3d	249	}
75e2c877	250	inc_128(ctr);
dbdcc04f KR	251	if (!EVP_CipherUpdate(ctr->ctx, ctr->V, &outlen, ctr->V, AES_BLOCK_SIZE)
	252	\|\| outlen != AES_BLOCK_SIZE)
	253	return 0;
12fb8c3d RS	254
12fb8c3d RS	255	/* If 192 bit key part of V is on end of K */
75e2c877 RS	256	if (ctr->keylen == 24) {
	257	memcpy(ctr->V + 8, ctr->V, 8);
	258	memcpy(ctr->V, ctr->K + 24, 8);
12fb8c3d RS	259	}
12fb8c3d RS	260
8164d91d	261	if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
12fb8c3d RS	262	/* If no input reuse existing derived value */
12fb8c3d RS	263	if (in1 != NULL \|\| nonce != NULL \|\| in2 != NULL)
dbdcc04f KR	264	if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
dbdcc04f KR	265	return 0;
12fb8c3d RS	266	/* If this a reuse input in1len != 0 */
12fb8c3d RS	267	if (in1len)
75e2c877	268	ctr_XOR(ctr, ctr->KX, drbg->seedlen);
12fb8c3d	269	} else {
75e2c877 RS	270	ctr_XOR(ctr, in1, in1len);
75e2c877 RS	271	ctr_XOR(ctr, in2, in2len);
12fb8c3d RS	272	}
12fb8c3d RS	273
dbdcc04f KR	274	if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
	275	return 0;
	276	return 1;
12fb8c3d RS	277	}
12fb8c3d RS	278
dbdcc04f KR	279	__owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
	280	const unsigned char *entropy, size_t entropylen,
	281	const unsigned char *nonce, size_t noncelen,
	282	const unsigned char *pers, size_t perslen)
12fb8c3d	283	{
8212d505	284	RAND_DRBG_CTR *ctr = &drbg->data.ctr;
12fb8c3d	285
aa048aef	286	if (entropy == NULL)
4c78ba59 DSH	287	return 0;
4c78ba59 DSH	288
75e2c877 RS	289	memset(ctr->K, 0, sizeof(ctr->K));
75e2c877 RS	290	memset(ctr->V, 0, sizeof(ctr->V));
dbdcc04f KR	291	if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
	292	return 0;
	293	if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
	294	return 0;
12fb8c3d RS	295	return 1;
	296	}
	297
dbdcc04f KR	298	__owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
	299	const unsigned char *entropy, size_t entropylen,
	300	const unsigned char *adin, size_t adinlen)
12fb8c3d	301	{
aa048aef	302	if (entropy == NULL)
4c78ba59	303	return 0;
dbdcc04f KR	304	if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
dbdcc04f KR	305	return 0;
12fb8c3d RS	306	return 1;
	307	}
	308
dbdcc04f KR	309	__owur static int drbg_ctr_generate(RAND_DRBG *drbg,
	310	unsigned char *out, size_t outlen,
	311	const unsigned char *adin, size_t adinlen)
12fb8c3d	312	{
8212d505	313	RAND_DRBG_CTR *ctr = &drbg->data.ctr;
12fb8c3d RS	314
12fb8c3d RS	315	if (adin != NULL && adinlen != 0) {
dbdcc04f KR	316	if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
dbdcc04f KR	317	return 0;
12fb8c3d	318	/* This means we reuse derived value */
8164d91d	319	if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
12fb8c3d RS	320	adin = NULL;
	321	adinlen = 1;
	322	}
	323	} else {
	324	adinlen = 0;
	325	}
	326
	327	for ( ; ; ) {
dbdcc04f KR	328	int outl = AES_BLOCK_SIZE;
dbdcc04f KR	329
75e2c877	330	inc_128(ctr);
12fb8c3d RS	331	if (outlen < 16) {
12fb8c3d RS	332	/* Use K as temp space as it will be updated */
dbdcc04f KR	333	if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outl, ctr->V,
	334	AES_BLOCK_SIZE)
	335	\|\| outl != AES_BLOCK_SIZE)
	336	return 0;
75e2c877	337	memcpy(out, ctr->K, outlen);
12fb8c3d RS	338	break;
12fb8c3d RS	339	}
dbdcc04f KR	340	if (!EVP_CipherUpdate(ctr->ctx, out, &outl, ctr->V, AES_BLOCK_SIZE)
	341	\|\| outl != AES_BLOCK_SIZE)
	342	return 0;
12fb8c3d RS	343	out += 16;
	344	outlen -= 16;
	345	if (outlen == 0)
	346	break;
	347	}
	348
dbdcc04f KR	349	if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
dbdcc04f KR	350	return 0;
12fb8c3d RS	351	return 1;
	352	}
	353
8212d505	354	static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
12fb8c3d	355	{
dbdcc04f KR	356	EVP_CIPHER_CTX_free(drbg->data.ctr.ctx);
dbdcc04f KR	357	EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
8212d505	358	OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
12fb8c3d RS	359	return 1;
	360	}
	361
8212d505 DMSP	362	static RAND_DRBG_METHOD drbg_ctr_meth = {
	363	drbg_ctr_instantiate,
	364	drbg_ctr_reseed,
	365	drbg_ctr_generate,
	366	drbg_ctr_uninstantiate
	367	};
	368
	369	int drbg_ctr_init(RAND_DRBG *drbg)
12fb8c3d	370	{
8212d505	371	RAND_DRBG_CTR *ctr = &drbg->data.ctr;
12fb8c3d RS	372	size_t keylen;
12fb8c3d RS	373
31393fd9	374	switch (drbg->type) {
12fb8c3d RS	375	default:
12fb8c3d RS	376	/* This can't happen, but silence the compiler warning. */
efb8128a	377	return 0;
12fb8c3d RS	378	case NID_aes_128_ctr:
12fb8c3d RS	379	keylen = 16;
dbdcc04f	380	ctr->cipher = EVP_aes_128_ecb();
12fb8c3d RS	381	break;
	382	case NID_aes_192_ctr:
	383	keylen = 24;
dbdcc04f	384	ctr->cipher = EVP_aes_192_ecb();
12fb8c3d RS	385	break;
	386	case NID_aes_256_ctr:
	387	keylen = 32;
dbdcc04f	388	ctr->cipher = EVP_aes_256_ecb();
12fb8c3d RS	389	break;
	390	}
	391
8212d505 DMSP	392	drbg->meth = &drbg_ctr_meth;
8212d505 DMSP	393
75e2c877	394	ctr->keylen = keylen;
dbdcc04f KR	395	if (ctr->ctx == NULL)
	396	ctr->ctx = EVP_CIPHER_CTX_new();
	397	if (ctr->ctx == NULL)
	398	return 0;
75e2c877 RS	399	drbg->strength = keylen * 8;
75e2c877 RS	400	drbg->seedlen = keylen + 16;
12fb8c3d	401
8164d91d	402	if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
12fb8c3d	403	/* df initialisation */
dbdcc04f	404	static const unsigned char df_key[32] = {
12fb8c3d RS	405	0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
	406	0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
	407	0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
	408	0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
	409	};
dbdcc04f KR	410
	411	if (ctr->ctx_df == NULL)
	412	ctr->ctx_df = EVP_CIPHER_CTX_new();
	413	if (ctr->ctx_df == NULL)
	414	return 0;
12fb8c3d	415	/* Set key schedule for df_key */
dbdcc04f KR	416	if (!EVP_CipherInit_ex(ctr->ctx_df, ctr->cipher, NULL, df_key, NULL, 1))
dbdcc04f KR	417	return 0;
75e2c877	418
aa048aef	419	drbg->min_entropylen = ctr->keylen;
c16de9d8	420	drbg->max_entropylen = DRBG_MINMAX_FACTOR * drbg->min_entropylen;
aa048aef	421	drbg->min_noncelen = drbg->min_entropylen / 2;
c16de9d8	422	drbg->max_noncelen = DRBG_MINMAX_FACTOR * drbg->min_noncelen;
aa048aef DMSP	423	drbg->max_perslen = DRBG_MAX_LENGTH;
aa048aef DMSP	424	drbg->max_adinlen = DRBG_MAX_LENGTH;
12fb8c3d	425	} else {
aa048aef DMSP	426	drbg->min_entropylen = drbg->seedlen;
aa048aef DMSP	427	drbg->max_entropylen = drbg->seedlen;
12fb8c3d	428	/* Nonce not used */
aa048aef DMSP	429	drbg->min_noncelen = 0;
	430	drbg->max_noncelen = 0;
	431	drbg->max_perslen = drbg->seedlen;
	432	drbg->max_adinlen = drbg->seedlen;
12fb8c3d RS	433	}
12fb8c3d RS	434
75e2c877	435	drbg->max_request = 1 << 16;
4917e911	436
12fb8c3d RS	437	return 1;
12fb8c3d RS	438	}