crypto/rand/drbg_ctr.c

   1 /*
   2  * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the OpenSSL license (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <stdlib.h>
  11 #include <string.h>
  12 #include <openssl/crypto.h>
  13 #include <openssl/err.h>
  14 #include <openssl/rand.h>
  15 #include "internal/thread_once.h"
  16 #include "internal/thread_once.h"
  17 #include "rand_lcl.h"
  18 /*
  19  * Implementation of NIST SP 800-90A CTR DRBG.
  20  */
  21
  22 static void inc_128(RAND_DRBG_CTR *ctr)
  23 {
  24     int i;
  25     unsigned char c;
  26     unsigned char *p = &ctr->V[15];
  27
  28     for (i = 0; i < 16; i++, p--) {
  29         c = *p;
  30         c++;
  31         *p = c;
  32         if (c != 0) {
  33             /* If we didn't wrap around, we're done. */
  34             break;
  35         }
  36     }
  37 }
  38
  39 static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
  40 {
  41     size_t i, n;
  42
  43     if (in == NULL || inlen == 0)
  44         return;
  45
  46     /*
  47      * Any zero padding will have no effect on the result as we
  48      * are XORing. So just process however much input we have.
  49      */
  50     n = inlen < ctr->keylen ? inlen : ctr->keylen;
  51     for (i = 0; i < n; i++)
  52         ctr->K[i] ^= in[i];
  53     if (inlen <= ctr->keylen)
  54         return;
  55
  56     n = inlen - ctr->keylen;
  57     if (n > 16) {
  58         /* Should never happen */
  59         n = 16;
  60     }
  61     for (i = 0; i < n; i++)
  62         ctr->V[i] ^= in[i + ctr->keylen];
  63 }
  64
  65 /*
  66  * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
  67  */
  68 static void ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
  69                           const unsigned char *in)
  70 {
  71     int i;
  72
  73     for (i = 0; i < 16; i++)
  74         out[i] ^= in[i];
  75     AES_encrypt(out, out, &ctr->df_ks);
  76 }
  77
  78
  79 /*
  80  * Handle several BCC operations for as much data as we need for K and X
  81  */
  82 static void ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
  83 {
  84     ctr_BCC_block(ctr, ctr->KX, in);
  85     ctr_BCC_block(ctr, ctr->KX + 16, in);
  86     if (ctr->keylen != 16)
  87         ctr_BCC_block(ctr, ctr->KX + 32, in);
  88 }
  89
  90 /*
  91  * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
  92  * see 10.3.1 stage 7.
  93  */
  94 static void ctr_BCC_init(RAND_DRBG_CTR *ctr)
  95 {
  96     memset(ctr->KX, 0, 48);
  97     memset(ctr->bltmp, 0, 16);
  98     ctr_BCC_block(ctr, ctr->KX, ctr->bltmp);
  99     ctr->bltmp[3] = 1;
 100     ctr_BCC_block(ctr, ctr->KX + 16, ctr->bltmp);
 101     if (ctr->keylen != 16) {
 102         ctr->bltmp[3] = 2;
 103         ctr_BCC_block(ctr, ctr->KX + 32, ctr->bltmp);
 104     }
 105 }
 106
 107 /*
 108  * Process several blocks into BCC algorithm, some possibly partial
 109  */
 110 static void ctr_BCC_update(RAND_DRBG_CTR *ctr,
 111                            const unsigned char *in, size_t inlen)
 112 {
 113     if (in == NULL || inlen == 0)
 114         return;
 115
 116     /* If we have partial block handle it first */
 117     if (ctr->bltmp_pos) {
 118         size_t left = 16 - ctr->bltmp_pos;
 119
 120         /* If we now have a complete block process it */
 121         if (inlen >= left) {
 122             memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
 123             ctr_BCC_blocks(ctr, ctr->bltmp);
 124             ctr->bltmp_pos = 0;
 125             inlen -= left;
 126             in += left;
 127         }
 128     }
 129
 130     /* Process zero or more complete blocks */
 131     for (; inlen >= 16; in += 16, inlen -= 16) {
 132         ctr_BCC_blocks(ctr, in);
 133     }
 134
 135     /* Copy any remaining partial block to the temporary buffer */
 136     if (inlen > 0) {
 137         memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
 138         ctr->bltmp_pos += inlen;
 139     }
 140 }
 141
 142 static void ctr_BCC_final(RAND_DRBG_CTR *ctr)
 143 {
 144     if (ctr->bltmp_pos) {
 145         memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
 146         ctr_BCC_blocks(ctr, ctr->bltmp);
 147     }
 148 }
 149
 150 static void ctr_df(RAND_DRBG_CTR *ctr,
 151                    const unsigned char *in1, size_t in1len,
 152                    const unsigned char *in2, size_t in2len,
 153                    const unsigned char *in3, size_t in3len)
 154 {
 155     static unsigned char c80 = 0x80;
 156     size_t inlen;
 157     unsigned char *p = ctr->bltmp;
 158
 159     ctr_BCC_init(ctr);
 160     if (in1 == NULL)
 161         in1len = 0;
 162     if (in2 == NULL)
 163         in2len = 0;
 164     if (in3 == NULL)
 165         in3len = 0;
 166     inlen = in1len + in2len + in3len;
 167     /* Initialise L||N in temporary block */
 168     *p++ = (inlen >> 24) & 0xff;
 169     *p++ = (inlen >> 16) & 0xff;
 170     *p++ = (inlen >> 8) & 0xff;
 171     *p++ = inlen & 0xff;
 172
 173     /* NB keylen is at most 32 bytes */
 174     *p++ = 0;
 175     *p++ = 0;
 176     *p++ = 0;
 177     *p = (unsigned char)((ctr->keylen + 16) & 0xff);
 178     ctr->bltmp_pos = 8;
 179     ctr_BCC_update(ctr, in1, in1len);
 180     ctr_BCC_update(ctr, in2, in2len);
 181     ctr_BCC_update(ctr, in3, in3len);
 182     ctr_BCC_update(ctr, &c80, 1);
 183     ctr_BCC_final(ctr);
 184     /* Set up key K */
 185     AES_set_encrypt_key(ctr->KX, ctr->keylen * 8, &ctr->df_kxks);
 186     /* X follows key K */
 187     AES_encrypt(ctr->KX + ctr->keylen, ctr->KX, &ctr->df_kxks);
 188     AES_encrypt(ctr->KX, ctr->KX + 16, &ctr->df_kxks);
 189     if (ctr->keylen != 16)
 190         AES_encrypt(ctr->KX + 16, ctr->KX + 32, &ctr->df_kxks);
 191 }
 192
 193 /*
 194  * NB the no-df Update in SP800-90A specifies a constant input length
 195  * of seedlen, however other uses of this algorithm pad the input with
 196  * zeroes if necessary and have up to two parameters XORed together,
 197  * so we handle both cases in this function instead.
 198  */
 199 static void ctr_update(RAND_DRBG *drbg,
 200                        const unsigned char *in1, size_t in1len,
 201                        const unsigned char *in2, size_t in2len,
 202                        const unsigned char *nonce, size_t noncelen)
 203 {
 204     RAND_DRBG_CTR *ctr = &drbg->data.ctr;
 205
 206     /* ks is already setup for correct key */
 207     inc_128(ctr);
 208     AES_encrypt(ctr->V, ctr->K, &ctr->ks);
 209
 210     /* If keylen longer than 128 bits need extra encrypt */
 211     if (ctr->keylen != 16) {
 212         inc_128(ctr);
 213         AES_encrypt(ctr->V, ctr->K + 16, &ctr->ks);
 214     }
 215     inc_128(ctr);
 216     AES_encrypt(ctr->V, ctr->V, &ctr->ks);
 217
 218     /* If 192 bit key part of V is on end of K */
 219     if (ctr->keylen == 24) {
 220         memcpy(ctr->V + 8, ctr->V, 8);
 221         memcpy(ctr->V, ctr->K + 24, 8);
 222     }
 223
 224     if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
 225         /* If no input reuse existing derived value */
 226         if (in1 != NULL || nonce != NULL || in2 != NULL)
 227             ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len);
 228         /* If this a reuse input in1len != 0 */
 229         if (in1len)
 230             ctr_XOR(ctr, ctr->KX, drbg->seedlen);
 231     } else {
 232         ctr_XOR(ctr, in1, in1len);
 233         ctr_XOR(ctr, in2, in2len);
 234     }
 235
 236     AES_set_encrypt_key(ctr->K, drbg->strength, &ctr->ks);
 237 }
 238
 239 static int drbg_ctr_instantiate(RAND_DRBG *drbg,
 240                                 const unsigned char *entropy, size_t entropylen,
 241                                 const unsigned char *nonce, size_t noncelen,
 242                                 const unsigned char *pers, size_t perslen)
 243 {
 244     RAND_DRBG_CTR *ctr = &drbg->data.ctr;
 245
 246     if (entropy == NULL)
 247         return 0;
 248
 249     memset(ctr->K, 0, sizeof(ctr->K));
 250     memset(ctr->V, 0, sizeof(ctr->V));
 251     AES_set_encrypt_key(ctr->K, drbg->strength, &ctr->ks);
 252     ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen);
 253     return 1;
 254 }
 255
 256 static int drbg_ctr_reseed(RAND_DRBG *drbg,
 257                            const unsigned char *entropy, size_t entropylen,
 258                            const unsigned char *adin, size_t adinlen)
 259 {
 260     if (entropy == NULL)
 261         return 0;
 262     ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0);
 263     return 1;
 264 }
 265
 266 static int drbg_ctr_generate(RAND_DRBG *drbg,
 267                              unsigned char *out, size_t outlen,
 268                              const unsigned char *adin, size_t adinlen)
 269 {
 270     RAND_DRBG_CTR *ctr = &drbg->data.ctr;
 271
 272     if (adin != NULL && adinlen != 0) {
 273         ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0);
 274         /* This means we reuse derived value */
 275         if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
 276             adin = NULL;
 277             adinlen = 1;
 278         }
 279     } else {
 280         adinlen = 0;
 281     }
 282
 283     for ( ; ; ) {
 284         inc_128(ctr);
 285         if (outlen < 16) {
 286             /* Use K as temp space as it will be updated */
 287             AES_encrypt(ctr->V, ctr->K, &ctr->ks);
 288             memcpy(out, ctr->K, outlen);
 289             break;
 290         }
 291         AES_encrypt(ctr->V, out, &ctr->ks);
 292         out += 16;
 293         outlen -= 16;
 294         if (outlen == 0)
 295             break;
 296     }
 297
 298     ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0);
 299     return 1;
 300 }
 301
 302 static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
 303 {
 304     OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
 305     return 1;
 306 }
 307
 308 static RAND_DRBG_METHOD drbg_ctr_meth = {
 309     drbg_ctr_instantiate,
 310     drbg_ctr_reseed,
 311     drbg_ctr_generate,
 312     drbg_ctr_uninstantiate
 313 };
 314
 315 int drbg_ctr_init(RAND_DRBG *drbg)
 316 {
 317     RAND_DRBG_CTR *ctr = &drbg->data.ctr;
 318     size_t keylen;
 319
 320     switch (drbg->type) {
 321     default:
 322         /* This can't happen, but silence the compiler warning. */
 323         return 0;
 324     case NID_aes_128_ctr:
 325         keylen = 16;
 326         break;
 327     case NID_aes_192_ctr:
 328         keylen = 24;
 329         break;
 330     case NID_aes_256_ctr:
 331         keylen = 32;
 332         break;
 333     }
 334
 335     drbg->meth = &drbg_ctr_meth;
 336
 337     ctr->keylen = keylen;
 338     drbg->strength = keylen * 8;
 339     drbg->seedlen = keylen + 16;
 340
 341     if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
 342         /* df initialisation */
 343         static unsigned char df_key[32] = {
 344             0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
 345             0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
 346             0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
 347             0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
 348         };
 349         /* Set key schedule for df_key */
 350         AES_set_encrypt_key(df_key, drbg->strength, &ctr->df_ks);
 351
 352         drbg->min_entropylen = ctr->keylen;
 353         drbg->max_entropylen = DRBG_MINMAX_FACTOR * drbg->min_entropylen;
 354         drbg->min_noncelen = drbg->min_entropylen / 2;
 355         drbg->max_noncelen = DRBG_MINMAX_FACTOR * drbg->min_noncelen;
 356         drbg->max_perslen = DRBG_MAX_LENGTH;
 357         drbg->max_adinlen = DRBG_MAX_LENGTH;
 358     } else {
 359         drbg->min_entropylen = drbg->seedlen;
 360         drbg->max_entropylen = drbg->seedlen;
 361         /* Nonce not used */
 362         drbg->min_noncelen = 0;
 363         drbg->max_noncelen = 0;
 364         drbg->max_perslen = drbg->seedlen;
 365         drbg->max_adinlen = drbg->seedlen;
 366     }
 367
 368     drbg->max_request = 1 << 16;
 369
 370     return 1;
 371 }