[thirdparty/openssl.git] / crypto / rand / drbg_ctr.c

/*
 * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdlib.h>
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include "internal/thread_once.h"
#include "internal/thread_once.h"
#include "rand_lcl.h"
/*
 * Implementation of NIST SP 800-90A CTR DRBG.
 */

static void inc_128(RAND_DRBG_CTR *ctr)
{
    int i;
    unsigned char c;
    unsigned char *p = &ctr->V[15];

    for (i = 0; i < 16; i++, p--) {
        c = *p;
        c++;
        *p = c;
        if (c != 0) {
            /* If we didn't wrap around, we're done. */
            break;
        }
    }
}

static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
{
    size_t i, n;

    if (in == NULL || inlen == 0)
        return;

    /*
     * Any zero padding will have no effect on the result as we
     * are XORing. So just process however much input we have.
     */
    n = inlen < ctr->keylen ? inlen : ctr->keylen;
    for (i = 0; i < n; i++)
        ctr->K[i] ^= in[i];
    if (inlen <= ctr->keylen)
        return;

    n = inlen - ctr->keylen;
    if (n > 16) {
        /* Should never happen */
        n = 16;
    }
    for (i = 0; i < n; i++)
        ctr->V[i] ^= in[i + ctr->keylen];
}

/*
 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
 */
static void ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
                          const unsigned char *in)
{
    int i;

    for (i = 0; i < 16; i++)
        out[i] ^= in[i];
    AES_encrypt(out, out, &ctr->df_ks);
}


/*
 * Handle several BCC operations for as much data as we need for K and X
 */
static void ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
{
    ctr_BCC_block(ctr, ctr->KX, in);
    ctr_BCC_block(ctr, ctr->KX + 16, in);
    if (ctr->keylen != 16)
        ctr_BCC_block(ctr, ctr->KX + 32, in);
}

/*
 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
 * see 10.3.1 stage 7.
 */
static void ctr_BCC_init(RAND_DRBG_CTR *ctr)
{
    memset(ctr->KX, 0, 48);
    memset(ctr->bltmp, 0, 16);
    ctr_BCC_block(ctr, ctr->KX, ctr->bltmp);
    ctr->bltmp[3] = 1;
    ctr_BCC_block(ctr, ctr->KX + 16, ctr->bltmp);
    if (ctr->keylen != 16) {
        ctr->bltmp[3] = 2;
        ctr_BCC_block(ctr, ctr->KX + 32, ctr->bltmp);
    }
}

/*
 * Process several blocks into BCC algorithm, some possibly partial
 */
static void ctr_BCC_update(RAND_DRBG_CTR *ctr,
                           const unsigned char *in, size_t inlen)
{
    if (in == NULL || inlen == 0)
        return;

    /* If we have partial block handle it first */
    if (ctr->bltmp_pos) {
        size_t left = 16 - ctr->bltmp_pos;

        /* If we now have a complete block process it */
        if (inlen >= left) {
            memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
            ctr_BCC_blocks(ctr, ctr->bltmp);
            ctr->bltmp_pos = 0;
            inlen -= left;
            in += left;
        }
    }

    /* Process zero or more complete blocks */
    for (; inlen >= 16; in += 16, inlen -= 16) {
        ctr_BCC_blocks(ctr, in);
    }

    /* Copy any remaining partial block to the temporary buffer */
    if (inlen > 0) {
        memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
        ctr->bltmp_pos += inlen;
    }
}

static void ctr_BCC_final(RAND_DRBG_CTR *ctr)
{
    if (ctr->bltmp_pos) {
        memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
        ctr_BCC_blocks(ctr, ctr->bltmp);
    }
}

static void ctr_df(RAND_DRBG_CTR *ctr,
                   const unsigned char *in1, size_t in1len,
                   const unsigned char *in2, size_t in2len,
                   const unsigned char *in3, size_t in3len)
{
    static unsigned char c80 = 0x80;
    size_t inlen;
    unsigned char *p = ctr->bltmp;

    ctr_BCC_init(ctr);
    if (in1 == NULL)
        in1len = 0;
    if (in2 == NULL)
        in2len = 0;
    if (in3 == NULL)
        in3len = 0;
    inlen = in1len + in2len + in3len;
    /* Initialise L||N in temporary block */
    *p++ = (inlen >> 24) & 0xff;
    *p++ = (inlen >> 16) & 0xff;
    *p++ = (inlen >> 8) & 0xff;
    *p++ = inlen & 0xff;

    /* NB keylen is at most 32 bytes */
    *p++ = 0;
    *p++ = 0;
    *p++ = 0;
    *p = (unsigned char)((ctr->keylen + 16) & 0xff);
    ctr->bltmp_pos = 8;
    ctr_BCC_update(ctr, in1, in1len);
    ctr_BCC_update(ctr, in2, in2len);
    ctr_BCC_update(ctr, in3, in3len);
    ctr_BCC_update(ctr, &c80, 1);
    ctr_BCC_final(ctr);
    /* Set up key K */
    AES_set_encrypt_key(ctr->KX, ctr->keylen * 8, &ctr->df_kxks);
    /* X follows key K */
    AES_encrypt(ctr->KX + ctr->keylen, ctr->KX, &ctr->df_kxks);
    AES_encrypt(ctr->KX, ctr->KX + 16, &ctr->df_kxks);
    if (ctr->keylen != 16)
        AES_encrypt(ctr->KX + 16, ctr->KX + 32, &ctr->df_kxks);
}

/*
 * NB the no-df Update in SP800-90A specifies a constant input length
 * of seedlen, however other uses of this algorithm pad the input with
 * zeroes if necessary and have up to two parameters XORed together,
 * so we handle both cases in this function instead.
 */
static void ctr_update(RAND_DRBG *drbg,
                       const unsigned char *in1, size_t in1len,
                       const unsigned char *in2, size_t in2len,
                       const unsigned char *nonce, size_t noncelen)
{
    RAND_DRBG_CTR *ctr = &drbg->data.ctr;

    /* ks is already setup for correct key */
    inc_128(ctr);
    AES_encrypt(ctr->V, ctr->K, &ctr->ks);

    /* If keylen longer than 128 bits need extra encrypt */
    if (ctr->keylen != 16) {
        inc_128(ctr);
        AES_encrypt(ctr->V, ctr->K + 16, &ctr->ks);
    }
    inc_128(ctr);
    AES_encrypt(ctr->V, ctr->V, &ctr->ks);

    /* If 192 bit key part of V is on end of K */
    if (ctr->keylen == 24) {
        memcpy(ctr->V + 8, ctr->V, 8);
        memcpy(ctr->V, ctr->K + 24, 8);
    }

    if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
        /* If no input reuse existing derived value */
        if (in1 != NULL || nonce != NULL || in2 != NULL)
            ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len);
        /* If this a reuse input in1len != 0 */
        if (in1len)
            ctr_XOR(ctr, ctr->KX, drbg->seedlen);
    } else {
        ctr_XOR(ctr, in1, in1len);
        ctr_XOR(ctr, in2, in2len);
    }

    AES_set_encrypt_key(ctr->K, drbg->strength, &ctr->ks);
}

static int drbg_ctr_instantiate(RAND_DRBG *drbg,
                                const unsigned char *entropy, size_t entropylen,
                                const unsigned char *nonce, size_t noncelen,
                                const unsigned char *pers, size_t perslen)
{
    RAND_DRBG_CTR *ctr = &drbg->data.ctr;

    if (entropy == NULL)
        return 0;

    memset(ctr->K, 0, sizeof(ctr->K));
    memset(ctr->V, 0, sizeof(ctr->V));
    AES_set_encrypt_key(ctr->K, drbg->strength, &ctr->ks);
    ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen);
    return 1;
}

static int drbg_ctr_reseed(RAND_DRBG *drbg,
                           const unsigned char *entropy, size_t entropylen,
                           const unsigned char *adin, size_t adinlen)
{
    if (entropy == NULL)
        return 0;
    ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0);
    return 1;
}

static int drbg_ctr_generate(RAND_DRBG *drbg,
                             unsigned char *out, size_t outlen,
                             const unsigned char *adin, size_t adinlen)
{
    RAND_DRBG_CTR *ctr = &drbg->data.ctr;

    if (adin != NULL && adinlen != 0) {
        ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0);
        /* This means we reuse derived value */
        if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
            adin = NULL;
            adinlen = 1;
        }
    } else {
        adinlen = 0;
    }

    for ( ; ; ) {
        inc_128(ctr);
        if (outlen < 16) {
            /* Use K as temp space as it will be updated */
            AES_encrypt(ctr->V, ctr->K, &ctr->ks);
            memcpy(out, ctr->K, outlen);
            break;
        }
        AES_encrypt(ctr->V, out, &ctr->ks);
        out += 16;
        outlen -= 16;
        if (outlen == 0)
            break;
    }

    ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0);
    return 1;
}

static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
{
    OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
    return 1;
}

static RAND_DRBG_METHOD drbg_ctr_meth = {
    drbg_ctr_instantiate,
    drbg_ctr_reseed,
    drbg_ctr_generate,
    drbg_ctr_uninstantiate
};

int drbg_ctr_init(RAND_DRBG *drbg)
{
    RAND_DRBG_CTR *ctr = &drbg->data.ctr;
    size_t keylen;

    switch (drbg->type) {
    default:
        /* This can't happen, but silence the compiler warning. */
        return 0;
    case NID_aes_128_ctr:
        keylen = 16;
        break;
    case NID_aes_192_ctr:
        keylen = 24;
        break;
    case NID_aes_256_ctr:
        keylen = 32;
        break;
    }

    drbg->meth = &drbg_ctr_meth;

    ctr->keylen = keylen;
    drbg->strength = keylen * 8;
    drbg->seedlen = keylen + 16;

    if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
        /* df initialisation */
        static unsigned char df_key[32] = {
            0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
            0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
            0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
            0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
        };
        /* Set key schedule for df_key */
        AES_set_encrypt_key(df_key, drbg->strength, &ctr->df_ks);

        drbg->min_entropylen = ctr->keylen;
        drbg->max_entropylen = DRBG_MINMAX_FACTOR * drbg->min_entropylen;
        drbg->min_noncelen = drbg->min_entropylen / 2;
        drbg->max_noncelen = DRBG_MINMAX_FACTOR * drbg->min_noncelen;
        drbg->max_perslen = DRBG_MAX_LENGTH;
        drbg->max_adinlen = DRBG_MAX_LENGTH;
    } else {
        drbg->min_entropylen = drbg->seedlen;
        drbg->max_entropylen = drbg->seedlen;
        /* Nonce not used */
        drbg->min_noncelen = 0;
        drbg->max_noncelen = 0;
        drbg->max_perslen = drbg->seedlen;
        drbg->max_adinlen = drbg->seedlen;
    }

    drbg->max_request = 1 << 16;

    return 1;
}
Commit	Line	Data
12fb8c3d	1	/*
3c7d0945	2	* Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
12fb8c3d RS	3	*
	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <stdlib.h>
	11	#include <string.h>
	12	#include <openssl/crypto.h>
	13	#include <openssl/err.h>
	14	#include <openssl/rand.h>
12fb8c3d	15	#include "internal/thread_once.h"
6decf943 DMSP	16	#include "internal/thread_once.h"
6decf943 DMSP	17	#include "rand_lcl.h"
12fb8c3d	18	/*
75e2c877	19	* Implementation of NIST SP 800-90A CTR DRBG.
12fb8c3d RS	20	*/
12fb8c3d RS	21
75e2c877	22	static void inc_128(RAND_DRBG_CTR *ctr)
12fb8c3d RS	23	{
	24	int i;
	25	unsigned char c;
75e2c877	26	unsigned char *p = &ctr->V[15];
12fb8c3d RS	27
	28	for (i = 0; i < 16; i++, p--) {
	29	c = *p;
	30	c++;
	31	*p = c;
	32	if (c != 0) {
	33	/* If we didn't wrap around, we're done. */
	34	break;
	35	}
	36	}
	37	}
	38
75e2c877	39	static void ctr_XOR(RAND_DRBG_CTR ctr, const unsigned char in, size_t inlen)
12fb8c3d RS	40	{
	41	size_t i, n;
	42
	43	if (in == NULL \|\| inlen == 0)
	44	return;
	45
	46	/*
	47	* Any zero padding will have no effect on the result as we
	48	* are XORing. So just process however much input we have.
	49	*/
75e2c877	50	n = inlen < ctr->keylen ? inlen : ctr->keylen;
12fb8c3d	51	for (i = 0; i < n; i++)
75e2c877 RS	52	ctr->K[i] ^= in[i];
75e2c877 RS	53	if (inlen <= ctr->keylen)
12fb8c3d RS	54	return;
12fb8c3d RS	55
75e2c877	56	n = inlen - ctr->keylen;
12fb8c3d RS	57	if (n > 16) {
	58	/* Should never happen */
	59	n = 16;
	60	}
b8a437ff	61	for (i = 0; i < n; i++)
75e2c877	62	ctr->V[i] ^= in[i + ctr->keylen];
12fb8c3d RS	63	}
	64
	65	/*
	66	* Process a complete block using BCC algorithm of SP 800-90A 10.3.3
	67	*/
75e2c877	68	static void ctr_BCC_block(RAND_DRBG_CTR ctr, unsigned char out,
12fb8c3d RS	69	const unsigned char *in)
	70	{
	71	int i;
	72
	73	for (i = 0; i < 16; i++)
	74	out[i] ^= in[i];
75e2c877	75	AES_encrypt(out, out, &ctr->df_ks);
12fb8c3d RS	76	}
	77
	78
	79	/*
	80	* Handle several BCC operations for as much data as we need for K and X
	81	*/
75e2c877	82	static void ctr_BCC_blocks(RAND_DRBG_CTR ctr, const unsigned char in)
12fb8c3d	83	{
75e2c877 RS	84	ctr_BCC_block(ctr, ctr->KX, in);
	85	ctr_BCC_block(ctr, ctr->KX + 16, in);
	86	if (ctr->keylen != 16)
	87	ctr_BCC_block(ctr, ctr->KX + 32, in);
12fb8c3d RS	88	}
	89
	90	/*
	91	* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
	92	* see 10.3.1 stage 7.
	93	*/
75e2c877	94	static void ctr_BCC_init(RAND_DRBG_CTR *ctr)
12fb8c3d	95	{
75e2c877 RS	96	memset(ctr->KX, 0, 48);
	97	memset(ctr->bltmp, 0, 16);
	98	ctr_BCC_block(ctr, ctr->KX, ctr->bltmp);
	99	ctr->bltmp[3] = 1;
	100	ctr_BCC_block(ctr, ctr->KX + 16, ctr->bltmp);
	101	if (ctr->keylen != 16) {
	102	ctr->bltmp[3] = 2;
	103	ctr_BCC_block(ctr, ctr->KX + 32, ctr->bltmp);
12fb8c3d RS	104	}
	105	}
	106
	107	/*
	108	* Process several blocks into BCC algorithm, some possibly partial
	109	*/
75e2c877	110	static void ctr_BCC_update(RAND_DRBG_CTR *ctr,
12fb8c3d RS	111	const unsigned char *in, size_t inlen)
	112	{
	113	if (in == NULL \|\| inlen == 0)
	114	return;
	115
	116	/* If we have partial block handle it first */
75e2c877 RS	117	if (ctr->bltmp_pos) {
75e2c877 RS	118	size_t left = 16 - ctr->bltmp_pos;
12fb8c3d RS	119
	120	/* If we now have a complete block process it */
	121	if (inlen >= left) {
75e2c877 RS	122	memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
	123	ctr_BCC_blocks(ctr, ctr->bltmp);
	124	ctr->bltmp_pos = 0;
12fb8c3d RS	125	inlen -= left;
	126	in += left;
	127	}
	128	}
	129
	130	/* Process zero or more complete blocks */
	131	for (; inlen >= 16; in += 16, inlen -= 16) {
75e2c877	132	ctr_BCC_blocks(ctr, in);
12fb8c3d RS	133	}
	134
	135	/* Copy any remaining partial block to the temporary buffer */
	136	if (inlen > 0) {
75e2c877 RS	137	memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
75e2c877 RS	138	ctr->bltmp_pos += inlen;
12fb8c3d RS	139	}
	140	}
	141
75e2c877	142	static void ctr_BCC_final(RAND_DRBG_CTR *ctr)
12fb8c3d	143	{
75e2c877 RS	144	if (ctr->bltmp_pos) {
	145	memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
	146	ctr_BCC_blocks(ctr, ctr->bltmp);
12fb8c3d RS	147	}
	148	}
	149
75e2c877	150	static void ctr_df(RAND_DRBG_CTR *ctr,
12fb8c3d RS	151	const unsigned char *in1, size_t in1len,
	152	const unsigned char *in2, size_t in2len,
	153	const unsigned char *in3, size_t in3len)
	154	{
	155	static unsigned char c80 = 0x80;
	156	size_t inlen;
75e2c877	157	unsigned char *p = ctr->bltmp;
12fb8c3d	158
75e2c877	159	ctr_BCC_init(ctr);
12fb8c3d RS	160	if (in1 == NULL)
	161	in1len = 0;
	162	if (in2 == NULL)
	163	in2len = 0;
	164	if (in3 == NULL)
	165	in3len = 0;
	166	inlen = in1len + in2len + in3len;
	167	/* Initialise L\|\|N in temporary block */
	168	*p++ = (inlen >> 24) & 0xff;
	169	*p++ = (inlen >> 16) & 0xff;
	170	*p++ = (inlen >> 8) & 0xff;
	171	*p++ = inlen & 0xff;
	172
	173	/* NB keylen is at most 32 bytes */
	174	*p++ = 0;
	175	*p++ = 0;
	176	*p++ = 0;
75e2c877 RS	177	*p = (unsigned char)((ctr->keylen + 16) & 0xff);
	178	ctr->bltmp_pos = 8;
	179	ctr_BCC_update(ctr, in1, in1len);
	180	ctr_BCC_update(ctr, in2, in2len);
	181	ctr_BCC_update(ctr, in3, in3len);
	182	ctr_BCC_update(ctr, &c80, 1);
	183	ctr_BCC_final(ctr);
12fb8c3d	184	/* Set up key K */
75e2c877	185	AES_set_encrypt_key(ctr->KX, ctr->keylen * 8, &ctr->df_kxks);
12fb8c3d	186	/* X follows key K */
75e2c877 RS	187	AES_encrypt(ctr->KX + ctr->keylen, ctr->KX, &ctr->df_kxks);
	188	AES_encrypt(ctr->KX, ctr->KX + 16, &ctr->df_kxks);
	189	if (ctr->keylen != 16)
	190	AES_encrypt(ctr->KX + 16, ctr->KX + 32, &ctr->df_kxks);
12fb8c3d RS	191	}
	192
	193	/*
	194	* NB the no-df Update in SP800-90A specifies a constant input length
	195	* of seedlen, however other uses of this algorithm pad the input with
	196	* zeroes if necessary and have up to two parameters XORed together,
75e2c877	197	* so we handle both cases in this function instead.
12fb8c3d	198	*/
75e2c877	199	static void ctr_update(RAND_DRBG *drbg,
12fb8c3d RS	200	const unsigned char *in1, size_t in1len,
	201	const unsigned char *in2, size_t in2len,
	202	const unsigned char *nonce, size_t noncelen)
	203	{
8212d505	204	RAND_DRBG_CTR *ctr = &drbg->data.ctr;
12fb8c3d RS	205
12fb8c3d RS	206	/* ks is already setup for correct key */
75e2c877 RS	207	inc_128(ctr);
75e2c877 RS	208	AES_encrypt(ctr->V, ctr->K, &ctr->ks);
12fb8c3d RS	209
12fb8c3d RS	210	/* If keylen longer than 128 bits need extra encrypt */
75e2c877 RS	211	if (ctr->keylen != 16) {
	212	inc_128(ctr);
	213	AES_encrypt(ctr->V, ctr->K + 16, &ctr->ks);
12fb8c3d	214	}
75e2c877 RS	215	inc_128(ctr);
75e2c877 RS	216	AES_encrypt(ctr->V, ctr->V, &ctr->ks);
12fb8c3d RS	217
12fb8c3d RS	218	/* If 192 bit key part of V is on end of K */
75e2c877 RS	219	if (ctr->keylen == 24) {
	220	memcpy(ctr->V + 8, ctr->V, 8);
	221	memcpy(ctr->V, ctr->K + 24, 8);
12fb8c3d RS	222	}
12fb8c3d RS	223
8164d91d	224	if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
12fb8c3d RS	225	/* If no input reuse existing derived value */
12fb8c3d RS	226	if (in1 != NULL \|\| nonce != NULL \|\| in2 != NULL)
75e2c877	227	ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len);
12fb8c3d RS	228	/* If this a reuse input in1len != 0 */
12fb8c3d RS	229	if (in1len)
75e2c877	230	ctr_XOR(ctr, ctr->KX, drbg->seedlen);
12fb8c3d	231	} else {
75e2c877 RS	232	ctr_XOR(ctr, in1, in1len);
75e2c877 RS	233	ctr_XOR(ctr, in2, in2len);
12fb8c3d RS	234	}
12fb8c3d RS	235
75e2c877	236	AES_set_encrypt_key(ctr->K, drbg->strength, &ctr->ks);
12fb8c3d RS	237	}
12fb8c3d RS	238
8212d505 DMSP	239	static int drbg_ctr_instantiate(RAND_DRBG *drbg,
	240	const unsigned char *entropy, size_t entropylen,
	241	const unsigned char *nonce, size_t noncelen,
	242	const unsigned char *pers, size_t perslen)
12fb8c3d	243	{
8212d505	244	RAND_DRBG_CTR *ctr = &drbg->data.ctr;
12fb8c3d	245
aa048aef	246	if (entropy == NULL)
4c78ba59 DSH	247	return 0;
4c78ba59 DSH	248
75e2c877 RS	249	memset(ctr->K, 0, sizeof(ctr->K));
	250	memset(ctr->V, 0, sizeof(ctr->V));
	251	AES_set_encrypt_key(ctr->K, drbg->strength, &ctr->ks);
aa048aef	252	ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen);
12fb8c3d RS	253	return 1;
	254	}
	255
8212d505 DMSP	256	static int drbg_ctr_reseed(RAND_DRBG *drbg,
	257	const unsigned char *entropy, size_t entropylen,
	258	const unsigned char *adin, size_t adinlen)
12fb8c3d	259	{
aa048aef	260	if (entropy == NULL)
4c78ba59	261	return 0;
aa048aef	262	ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0);
12fb8c3d RS	263	return 1;
	264	}
	265
8212d505 DMSP	266	static int drbg_ctr_generate(RAND_DRBG *drbg,
	267	unsigned char *out, size_t outlen,
	268	const unsigned char *adin, size_t adinlen)
12fb8c3d	269	{
8212d505	270	RAND_DRBG_CTR *ctr = &drbg->data.ctr;
12fb8c3d RS	271
12fb8c3d RS	272	if (adin != NULL && adinlen != 0) {
75e2c877	273	ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0);
12fb8c3d	274	/* This means we reuse derived value */
8164d91d	275	if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
12fb8c3d RS	276	adin = NULL;
	277	adinlen = 1;
	278	}
	279	} else {
	280	adinlen = 0;
	281	}
	282
	283	for ( ; ; ) {
75e2c877	284	inc_128(ctr);
12fb8c3d RS	285	if (outlen < 16) {
12fb8c3d RS	286	/* Use K as temp space as it will be updated */
75e2c877 RS	287	AES_encrypt(ctr->V, ctr->K, &ctr->ks);
75e2c877 RS	288	memcpy(out, ctr->K, outlen);
12fb8c3d RS	289	break;
12fb8c3d RS	290	}
75e2c877	291	AES_encrypt(ctr->V, out, &ctr->ks);
12fb8c3d RS	292	out += 16;
	293	outlen -= 16;
	294	if (outlen == 0)
	295	break;
	296	}
	297
75e2c877	298	ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0);
12fb8c3d RS	299	return 1;
	300	}
	301
8212d505	302	static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
12fb8c3d	303	{
8212d505	304	OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
12fb8c3d RS	305	return 1;
	306	}
	307
8212d505 DMSP	308	static RAND_DRBG_METHOD drbg_ctr_meth = {
	309	drbg_ctr_instantiate,
	310	drbg_ctr_reseed,
	311	drbg_ctr_generate,
	312	drbg_ctr_uninstantiate
	313	};
	314
	315	int drbg_ctr_init(RAND_DRBG *drbg)
12fb8c3d	316	{
8212d505	317	RAND_DRBG_CTR *ctr = &drbg->data.ctr;
12fb8c3d RS	318	size_t keylen;
12fb8c3d RS	319
31393fd9	320	switch (drbg->type) {
12fb8c3d RS	321	default:
12fb8c3d RS	322	/* This can't happen, but silence the compiler warning. */
efb8128a	323	return 0;
12fb8c3d RS	324	case NID_aes_128_ctr:
	325	keylen = 16;
	326	break;
	327	case NID_aes_192_ctr:
	328	keylen = 24;
	329	break;
	330	case NID_aes_256_ctr:
	331	keylen = 32;
	332	break;
	333	}
	334
8212d505 DMSP	335	drbg->meth = &drbg_ctr_meth;
8212d505 DMSP	336
75e2c877 RS	337	ctr->keylen = keylen;
	338	drbg->strength = keylen * 8;
	339	drbg->seedlen = keylen + 16;
12fb8c3d	340
8164d91d	341	if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
12fb8c3d RS	342	/* df initialisation */
	343	static unsigned char df_key[32] = {
	344	0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
	345	0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
	346	0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
	347	0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
	348	};
	349	/* Set key schedule for df_key */
75e2c877 RS	350	AES_set_encrypt_key(df_key, drbg->strength, &ctr->df_ks);
75e2c877 RS	351
aa048aef	352	drbg->min_entropylen = ctr->keylen;
c16de9d8	353	drbg->max_entropylen = DRBG_MINMAX_FACTOR * drbg->min_entropylen;
aa048aef	354	drbg->min_noncelen = drbg->min_entropylen / 2;
c16de9d8	355	drbg->max_noncelen = DRBG_MINMAX_FACTOR * drbg->min_noncelen;
aa048aef DMSP	356	drbg->max_perslen = DRBG_MAX_LENGTH;
aa048aef DMSP	357	drbg->max_adinlen = DRBG_MAX_LENGTH;
12fb8c3d	358	} else {
aa048aef DMSP	359	drbg->min_entropylen = drbg->seedlen;
aa048aef DMSP	360	drbg->max_entropylen = drbg->seedlen;
12fb8c3d	361	/* Nonce not used */
aa048aef DMSP	362	drbg->min_noncelen = 0;
	363	drbg->max_noncelen = 0;
	364	drbg->max_perslen = drbg->seedlen;
	365	drbg->max_adinlen = drbg->seedlen;
12fb8c3d RS	366	}
12fb8c3d RS	367
75e2c877	368	drbg->max_request = 1 << 16;
4917e911	369
12fb8c3d RS	370	return 1;
12fb8c3d RS	371	}