[thirdparty/openssl.git] / crypto / rand / drbg_ctr.c

/*
 * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdlib.h>
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include "crypto/modes.h"
#include "internal/thread_once.h"
#include "rand_local.h"

/*
 * Implementation of NIST SP 800-90A CTR DRBG.
 */
static void inc_128(RAND_DRBG_CTR *ctr)
{
    unsigned char *p = &ctr->V[0];
    u32 n = 16, c = 1;

    do {
        --n;
        c += p[n];
        p[n] = (u8)c;
        c >>= 8;
    } while (n);
}

static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
{
    size_t i, n;

    if (in == NULL || inlen == 0)
        return;

    /*
     * Any zero padding will have no effect on the result as we
     * are XORing. So just process however much input we have.
     */
    n = inlen < ctr->keylen ? inlen : ctr->keylen;
    for (i = 0; i < n; i++)
        ctr->K[i] ^= in[i];
    if (inlen <= ctr->keylen)
        return;

    n = inlen - ctr->keylen;
    if (n > 16) {
        /* Should never happen */
        n = 16;
    }
    for (i = 0; i < n; i++)
        ctr->V[i] ^= in[i + ctr->keylen];
}

/*
 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
 */
__owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
                                const unsigned char *in, int len)
{
    int i, outlen = AES_BLOCK_SIZE;

    for (i = 0; i < len; i++)
        out[i] ^= in[i];

    if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, len)
        || outlen != len)
        return 0;
    return 1;
}


/*
 * Handle several BCC operations for as much data as we need for K and X
 */
__owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
{
    unsigned char in_tmp[48];
    unsigned char num_of_blk = 2;

    memcpy(in_tmp, in, 16);
    memcpy(in_tmp + 16, in, 16);
    if (ctr->keylen != 16) {
        memcpy(in_tmp + 32, in, 16);
        num_of_blk = 3;
    }
    return ctr_BCC_block(ctr, ctr->KX, in_tmp, AES_BLOCK_SIZE * num_of_blk);
}

/*
 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
 * see 10.3.1 stage 7.
 */
__owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
{
    unsigned char bltmp[48] = {0};
    unsigned char num_of_blk;

    memset(ctr->KX, 0, 48);
    num_of_blk = ctr->keylen == 16 ? 2 : 3;
    bltmp[(AES_BLOCK_SIZE * 1) + 3] = 1;
    bltmp[(AES_BLOCK_SIZE * 2) + 3] = 2;
    return ctr_BCC_block(ctr, ctr->KX, bltmp, num_of_blk * AES_BLOCK_SIZE);
}

/*
 * Process several blocks into BCC algorithm, some possibly partial
 */
__owur static int ctr_BCC_update(RAND_DRBG_CTR *ctr,
                                 const unsigned char *in, size_t inlen)
{
    if (in == NULL || inlen == 0)
        return 1;

    /* If we have partial block handle it first */
    if (ctr->bltmp_pos) {
        size_t left = 16 - ctr->bltmp_pos;

        /* If we now have a complete block process it */
        if (inlen >= left) {
            memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
            if (!ctr_BCC_blocks(ctr, ctr->bltmp))
                return 0;
            ctr->bltmp_pos = 0;
            inlen -= left;
            in += left;
        }
    }

    /* Process zero or more complete blocks */
    for (; inlen >= 16; in += 16, inlen -= 16) {
        if (!ctr_BCC_blocks(ctr, in))
            return 0;
    }

    /* Copy any remaining partial block to the temporary buffer */
    if (inlen > 0) {
        memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
        ctr->bltmp_pos += inlen;
    }
    return 1;
}

__owur static int ctr_BCC_final(RAND_DRBG_CTR *ctr)
{
    if (ctr->bltmp_pos) {
        memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
        if (!ctr_BCC_blocks(ctr, ctr->bltmp))
            return 0;
    }
    return 1;
}

__owur static int ctr_df(RAND_DRBG_CTR *ctr,
                         const unsigned char *in1, size_t in1len,
                         const unsigned char *in2, size_t in2len,
                         const unsigned char *in3, size_t in3len)
{
    static unsigned char c80 = 0x80;
    size_t inlen;
    unsigned char *p = ctr->bltmp;
    int outlen = AES_BLOCK_SIZE;

    if (!ctr_BCC_init(ctr))
        return 0;
    if (in1 == NULL)
        in1len = 0;
    if (in2 == NULL)
        in2len = 0;
    if (in3 == NULL)
        in3len = 0;
    inlen = in1len + in2len + in3len;
    /* Initialise L||N in temporary block */
    *p++ = (inlen >> 24) & 0xff;
    *p++ = (inlen >> 16) & 0xff;
    *p++ = (inlen >> 8) & 0xff;
    *p++ = inlen & 0xff;

    /* NB keylen is at most 32 bytes */
    *p++ = 0;
    *p++ = 0;
    *p++ = 0;
    *p = (unsigned char)((ctr->keylen + 16) & 0xff);
    ctr->bltmp_pos = 8;
    if (!ctr_BCC_update(ctr, in1, in1len)
        || !ctr_BCC_update(ctr, in2, in2len)
        || !ctr_BCC_update(ctr, in3, in3len)
        || !ctr_BCC_update(ctr, &c80, 1)
        || !ctr_BCC_final(ctr))
        return 0;
    /* Set up key K */
    if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->KX, NULL, -1))
        return 0;
    /* X follows key K */
    if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX, &outlen, ctr->KX + ctr->keylen,
                          AES_BLOCK_SIZE)
        || outlen != AES_BLOCK_SIZE)
        return 0;
    if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 16, &outlen, ctr->KX,
                          AES_BLOCK_SIZE)
        || outlen != AES_BLOCK_SIZE)
        return 0;
    if (ctr->keylen != 16)
        if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 32, &outlen,
                              ctr->KX + 16, AES_BLOCK_SIZE)
            || outlen != AES_BLOCK_SIZE)
            return 0;
    return 1;
}

/*
 * NB the no-df Update in SP800-90A specifies a constant input length
 * of seedlen, however other uses of this algorithm pad the input with
 * zeroes if necessary and have up to two parameters XORed together,
 * so we handle both cases in this function instead.
 */
__owur static int ctr_update(RAND_DRBG *drbg,
                             const unsigned char *in1, size_t in1len,
                             const unsigned char *in2, size_t in2len,
                             const unsigned char *nonce, size_t noncelen)
{
    RAND_DRBG_CTR *ctr = &drbg->data.ctr;
    int outlen = AES_BLOCK_SIZE;
    unsigned char V_tmp[48], out[48];
    unsigned char len;

    /* correct key is already set up. */
    memcpy(V_tmp, ctr->V, 16);
    inc_128(ctr);
    memcpy(V_tmp + 16, ctr->V, 16);
    if (ctr->keylen == 16) {
        len = 32;
    } else {
        inc_128(ctr);
        memcpy(V_tmp + 32, ctr->V, 16);
        len = 48;
    }
    if (!EVP_CipherUpdate(ctr->ctx_ecb, out, &outlen, V_tmp, len)
            || outlen != len)
        return 0;
    memcpy(ctr->K, out, ctr->keylen);
    memcpy(ctr->V, out + ctr->keylen, 16);

    if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
        /* If no input reuse existing derived value */
        if (in1 != NULL || nonce != NULL || in2 != NULL)
            if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
                return 0;
        /* If this a reuse input in1len != 0 */
        if (in1len)
            ctr_XOR(ctr, ctr->KX, drbg->seedlen);
    } else {
        ctr_XOR(ctr, in1, in1len);
        ctr_XOR(ctr, in2, in2len);
    }

    if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1)
        || !EVP_CipherInit_ex(ctr->ctx_ctr, NULL, NULL, ctr->K, NULL, -1))
        return 0;
    return 1;
}

__owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
                                       const unsigned char *entropy, size_t entropylen,
                                       const unsigned char *nonce, size_t noncelen,
                                       const unsigned char *pers, size_t perslen)
{
    RAND_DRBG_CTR *ctr = &drbg->data.ctr;

    if (entropy == NULL)
        return 0;

    memset(ctr->K, 0, sizeof(ctr->K));
    memset(ctr->V, 0, sizeof(ctr->V));
    if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1))
        return 0;

    inc_128(ctr);
    if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
        return 0;
    return 1;
}

__owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
                                  const unsigned char *entropy, size_t entropylen,
                                  const unsigned char *adin, size_t adinlen)
{
    RAND_DRBG_CTR *ctr = &drbg->data.ctr;

    if (entropy == NULL)
        return 0;

    inc_128(ctr);
    if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
        return 0;
    return 1;
}

static void ctr96_inc(unsigned char *counter)
{
    u32 n = 12, c = 1;

    do {
        --n;
        c += counter[n];
        counter[n] = (u8)c;
        c >>= 8;
    } while (n);
}

__owur static int drbg_ctr_generate(RAND_DRBG *drbg,
                                    unsigned char *out, size_t outlen,
                                    const unsigned char *adin, size_t adinlen)
{
    RAND_DRBG_CTR *ctr = &drbg->data.ctr;
    unsigned int ctr32, blocks;
    int outl, buflen;

    if (adin != NULL && adinlen != 0) {
        inc_128(ctr);

        if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
            return 0;
        /* This means we reuse derived value */
        if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
            adin = NULL;
            adinlen = 1;
        }
    } else {
        adinlen = 0;
    }

    inc_128(ctr);

    if (outlen == 0) {
        inc_128(ctr);

        if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
            return 0;
        return 1;
    }

    memset(out, 0, outlen);

    do {
        if (!EVP_CipherInit_ex(ctr->ctx_ctr,
                               NULL, NULL, NULL, ctr->V, -1))
            return 0;

        /*-
         * outlen has type size_t while EVP_CipherUpdate takes an
         * int argument and thus cannot be guaranteed to process more
         * than 2^31-1 bytes at a time. We process such huge generate
         * requests in 2^30 byte chunks, which is the greatest multiple
         * of AES block size lower than or equal to 2^31-1.
         */
        buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
        blocks = (buflen + 15) / 16;

        ctr32 = GETU32(ctr->V + 12) + blocks;
        if (ctr32 < blocks) {
            /* 32-bit counter overflow into V. */
            if (ctr32 != 0) {
                blocks -= ctr32;
                buflen = blocks * 16;
                ctr32 = 0;
            }
            ctr96_inc(ctr->V);
        }
        PUTU32(ctr->V + 12, ctr32);

        if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
            || outl != buflen)
            return 0;

        out += buflen;
        outlen -= buflen;
    } while (outlen);

    if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
        return 0;
    return 1;
}

static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
{
    EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ecb);
    EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ctr);
    EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
    EVP_CIPHER_free(drbg->data.ctr.cipher_ecb);
    EVP_CIPHER_free(drbg->data.ctr.cipher_ctr);
    OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
    return 1;
}

static RAND_DRBG_METHOD drbg_ctr_meth = {
    drbg_ctr_instantiate,
    drbg_ctr_reseed,
    drbg_ctr_generate,
    drbg_ctr_uninstantiate
};

int drbg_ctr_init(RAND_DRBG *drbg)
{
    RAND_DRBG_CTR *ctr = &drbg->data.ctr;
    size_t keylen;
    EVP_CIPHER *cipher_ecb = NULL;
    EVP_CIPHER *cipher_ctr = NULL;

    switch (drbg->type) {
    default:
        /* This can't happen, but silence the compiler warning. */
        return 0;
    case NID_aes_128_ctr:
        keylen = 16;
        cipher_ecb = EVP_CIPHER_fetch(drbg->libctx, "AES-128-ECB", "");
        cipher_ctr = EVP_CIPHER_fetch(drbg->libctx, "AES-128-CTR", "");
        break;
    case NID_aes_192_ctr:
        keylen = 24;
        cipher_ecb = EVP_CIPHER_fetch(drbg->libctx, "AES-192-ECB", "");
        cipher_ctr = EVP_CIPHER_fetch(drbg->libctx, "AES-192-CTR", "");
        break;
    case NID_aes_256_ctr:
        keylen = 32;
        cipher_ecb = EVP_CIPHER_fetch(drbg->libctx, "AES-256-ECB", "");
        cipher_ctr = EVP_CIPHER_fetch(drbg->libctx, "AES-256-CTR", "");
        break;
    }
    if (cipher_ecb == NULL || cipher_ctr == NULL)
        return 0;

    EVP_CIPHER_free(ctr->cipher_ecb);
    ctr->cipher_ecb = cipher_ecb;
    EVP_CIPHER_free(ctr->cipher_ctr);
    ctr->cipher_ctr = cipher_ctr;

    ctr->keylen = keylen;
    if (ctr->ctx_ecb == NULL)
        ctr->ctx_ecb = EVP_CIPHER_CTX_new();
    if (ctr->ctx_ctr == NULL)
        ctr->ctx_ctr = EVP_CIPHER_CTX_new();
    if (ctr->ctx_ecb == NULL || ctr->ctx_ctr == NULL
        || !EVP_CipherInit_ex(ctr->ctx_ecb,
                              ctr->cipher_ecb, NULL, NULL, NULL, 1)
        || !EVP_CipherInit_ex(ctr->ctx_ctr,
                              ctr->cipher_ctr, NULL, NULL, NULL, 1))
        return 0;

    drbg->meth = &drbg_ctr_meth;
    drbg->strength = keylen * 8;
    drbg->seedlen = keylen + 16;

    if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
        /* df initialisation */
        static const unsigned char df_key[32] = {
            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
            0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
            0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
            0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
        };

        if (ctr->ctx_df == NULL)
            ctr->ctx_df = EVP_CIPHER_CTX_new();
        if (ctr->ctx_df == NULL)
            return 0;
        /* Set key schedule for df_key */
        if (!EVP_CipherInit_ex(ctr->ctx_df,
                               ctr->cipher_ecb, NULL, df_key, NULL, 1))
            return 0;

        drbg->min_entropylen = ctr->keylen;
        drbg->max_entropylen = DRBG_MAX_LENGTH;
        drbg->min_noncelen = drbg->min_entropylen / 2;
        drbg->max_noncelen = DRBG_MAX_LENGTH;
        drbg->max_perslen = DRBG_MAX_LENGTH;
        drbg->max_adinlen = DRBG_MAX_LENGTH;
    } else {
#ifdef FIPS_MODULE
        RANDerr(RAND_F_DRBG_CTR_INIT,
                RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS);
        return 0;
#else
        drbg->min_entropylen = drbg->seedlen;
        drbg->max_entropylen = drbg->seedlen;
        /* Nonce not used */
        drbg->min_noncelen = 0;
        drbg->max_noncelen = 0;
        drbg->max_perslen = drbg->seedlen;
        drbg->max_adinlen = drbg->seedlen;
#endif
    }

    drbg->max_request = 1 << 16;

    return 1;
}
Commit	Line	Data
12fb8c3d	1	/*
33388b44	2	* Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
12fb8c3d	3	*
0db63de9	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
12fb8c3d RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <stdlib.h>
	11	#include <string.h>
	12	#include <openssl/crypto.h>
	13	#include <openssl/err.h>
	14	#include <openssl/rand.h>
28bdbe1a	15	#include "crypto/modes.h"
12fb8c3d	16	#include "internal/thread_once.h"
706457b7	17	#include "rand_local.h"
8bf36651	18
12fb8c3d	19	/*
75e2c877	20	* Implementation of NIST SP 800-90A CTR DRBG.
12fb8c3d	21	*/
75e2c877	22	static void inc_128(RAND_DRBG_CTR *ctr)
12fb8c3d	23	{
069165d1 PS	24	unsigned char *p = &ctr->V[0];
	25	u32 n = 16, c = 1;
	26
	27	do {
	28	--n;
	29	c += p[n];
	30	p[n] = (u8)c;
	31	c >>= 8;
	32	} while (n);
12fb8c3d RS	33	}
12fb8c3d RS	34
75e2c877	35	static void ctr_XOR(RAND_DRBG_CTR ctr, const unsigned char in, size_t inlen)
12fb8c3d RS	36	{
	37	size_t i, n;
	38
	39	if (in == NULL \|\| inlen == 0)
	40	return;
	41
	42	/*
	43	* Any zero padding will have no effect on the result as we
	44	* are XORing. So just process however much input we have.
	45	*/
75e2c877	46	n = inlen < ctr->keylen ? inlen : ctr->keylen;
12fb8c3d	47	for (i = 0; i < n; i++)
75e2c877 RS	48	ctr->K[i] ^= in[i];
75e2c877 RS	49	if (inlen <= ctr->keylen)
12fb8c3d RS	50	return;
12fb8c3d RS	51
75e2c877	52	n = inlen - ctr->keylen;
12fb8c3d RS	53	if (n > 16) {
	54	/* Should never happen */
	55	n = 16;
	56	}
b8a437ff	57	for (i = 0; i < n; i++)
75e2c877	58	ctr->V[i] ^= in[i + ctr->keylen];
12fb8c3d RS	59	}
	60
	61	/*
	62	* Process a complete block using BCC algorithm of SP 800-90A 10.3.3
	63	*/
dbdcc04f	64	__owur static int ctr_BCC_block(RAND_DRBG_CTR ctr, unsigned char out,
28bdbe1a	65	const unsigned char *in, int len)
12fb8c3d	66	{
dbdcc04f	67	int i, outlen = AES_BLOCK_SIZE;
12fb8c3d	68
28bdbe1a	69	for (i = 0; i < len; i++)
12fb8c3d	70	out[i] ^= in[i];
dbdcc04f	71
28bdbe1a PS	72	if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, len)
28bdbe1a PS	73	\|\| outlen != len)
dbdcc04f KR	74	return 0;
dbdcc04f KR	75	return 1;
12fb8c3d RS	76	}
	77
	78
	79	/*
	80	* Handle several BCC operations for as much data as we need for K and X
	81	*/
dbdcc04f	82	__owur static int ctr_BCC_blocks(RAND_DRBG_CTR ctr, const unsigned char in)
12fb8c3d	83	{
28bdbe1a PS	84	unsigned char in_tmp[48];
	85	unsigned char num_of_blk = 2;
	86
	87	memcpy(in_tmp, in, 16);
	88	memcpy(in_tmp + 16, in, 16);
	89	if (ctr->keylen != 16) {
	90	memcpy(in_tmp + 32, in, 16);
	91	num_of_blk = 3;
	92	}
	93	return ctr_BCC_block(ctr, ctr->KX, in_tmp, AES_BLOCK_SIZE * num_of_blk);
12fb8c3d RS	94	}
	95
	96	/*
	97	* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
	98	* see 10.3.1 stage 7.
	99	*/
dbdcc04f	100	__owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
12fb8c3d	101	{
28bdbe1a PS	102	unsigned char bltmp[48] = {0};
	103	unsigned char num_of_blk;
	104
75e2c877	105	memset(ctr->KX, 0, 48);
28bdbe1a PS	106	num_of_blk = ctr->keylen == 16 ? 2 : 3;
	107	bltmp[(AES_BLOCK_SIZE * 1) + 3] = 1;
	108	bltmp[(AES_BLOCK_SIZE * 2) + 3] = 2;
	109	return ctr_BCC_block(ctr, ctr->KX, bltmp, num_of_blk * AES_BLOCK_SIZE);
12fb8c3d RS	110	}
	111
	112	/*
	113	* Process several blocks into BCC algorithm, some possibly partial
	114	*/
dbdcc04f KR	115	__owur static int ctr_BCC_update(RAND_DRBG_CTR *ctr,
dbdcc04f KR	116	const unsigned char *in, size_t inlen)
12fb8c3d RS	117	{
12fb8c3d RS	118	if (in == NULL \|\| inlen == 0)
dbdcc04f	119	return 1;
12fb8c3d RS	120
12fb8c3d RS	121	/* If we have partial block handle it first */
75e2c877 RS	122	if (ctr->bltmp_pos) {
75e2c877 RS	123	size_t left = 16 - ctr->bltmp_pos;
12fb8c3d RS	124
	125	/* If we now have a complete block process it */
	126	if (inlen >= left) {
75e2c877	127	memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
dbdcc04f KR	128	if (!ctr_BCC_blocks(ctr, ctr->bltmp))
dbdcc04f KR	129	return 0;
75e2c877	130	ctr->bltmp_pos = 0;
12fb8c3d RS	131	inlen -= left;
	132	in += left;
	133	}
	134	}
	135
	136	/* Process zero or more complete blocks */
	137	for (; inlen >= 16; in += 16, inlen -= 16) {
dbdcc04f KR	138	if (!ctr_BCC_blocks(ctr, in))
dbdcc04f KR	139	return 0;
12fb8c3d RS	140	}
	141
	142	/* Copy any remaining partial block to the temporary buffer */
	143	if (inlen > 0) {
75e2c877 RS	144	memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
75e2c877 RS	145	ctr->bltmp_pos += inlen;
12fb8c3d	146	}
dbdcc04f	147	return 1;
12fb8c3d RS	148	}
12fb8c3d RS	149
dbdcc04f	150	__owur static int ctr_BCC_final(RAND_DRBG_CTR *ctr)
12fb8c3d	151	{
75e2c877 RS	152	if (ctr->bltmp_pos) {
75e2c877 RS	153	memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
dbdcc04f KR	154	if (!ctr_BCC_blocks(ctr, ctr->bltmp))
dbdcc04f KR	155	return 0;
12fb8c3d	156	}
dbdcc04f	157	return 1;
12fb8c3d RS	158	}
12fb8c3d RS	159
dbdcc04f KR	160	__owur static int ctr_df(RAND_DRBG_CTR *ctr,
	161	const unsigned char *in1, size_t in1len,
	162	const unsigned char *in2, size_t in2len,
	163	const unsigned char *in3, size_t in3len)
12fb8c3d RS	164	{
	165	static unsigned char c80 = 0x80;
	166	size_t inlen;
75e2c877	167	unsigned char *p = ctr->bltmp;
dbdcc04f	168	int outlen = AES_BLOCK_SIZE;
12fb8c3d	169
dbdcc04f KR	170	if (!ctr_BCC_init(ctr))
dbdcc04f KR	171	return 0;
12fb8c3d RS	172	if (in1 == NULL)
	173	in1len = 0;
	174	if (in2 == NULL)
	175	in2len = 0;
	176	if (in3 == NULL)
	177	in3len = 0;
	178	inlen = in1len + in2len + in3len;
	179	/* Initialise L\|\|N in temporary block */
	180	*p++ = (inlen >> 24) & 0xff;
	181	*p++ = (inlen >> 16) & 0xff;
	182	*p++ = (inlen >> 8) & 0xff;
	183	*p++ = inlen & 0xff;
	184
	185	/* NB keylen is at most 32 bytes */
	186	*p++ = 0;
	187	*p++ = 0;
	188	*p++ = 0;
75e2c877 RS	189	*p = (unsigned char)((ctr->keylen + 16) & 0xff);
75e2c877 RS	190	ctr->bltmp_pos = 8;
dbdcc04f KR	191	if (!ctr_BCC_update(ctr, in1, in1len)
	192	\|\| !ctr_BCC_update(ctr, in2, in2len)
	193	\|\| !ctr_BCC_update(ctr, in3, in3len)
	194	\|\| !ctr_BCC_update(ctr, &c80, 1)
	195	\|\| !ctr_BCC_final(ctr))
	196	return 0;
12fb8c3d	197	/* Set up key K */
28bdbe1a	198	if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->KX, NULL, -1))
dbdcc04f	199	return 0;
12fb8c3d	200	/* X follows key K */
28bdbe1a	201	if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX, &outlen, ctr->KX + ctr->keylen,
dbdcc04f KR	202	AES_BLOCK_SIZE)
	203	\|\| outlen != AES_BLOCK_SIZE)
	204	return 0;
28bdbe1a	205	if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 16, &outlen, ctr->KX,
dbdcc04f KR	206	AES_BLOCK_SIZE)
	207	\|\| outlen != AES_BLOCK_SIZE)
	208	return 0;
75e2c877	209	if (ctr->keylen != 16)
28bdbe1a PS	210	if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 32, &outlen,
28bdbe1a PS	211	ctr->KX + 16, AES_BLOCK_SIZE)
dbdcc04f KR	212	\|\| outlen != AES_BLOCK_SIZE)
	213	return 0;
	214	return 1;
12fb8c3d RS	215	}
	216
	217	/*
	218	* NB the no-df Update in SP800-90A specifies a constant input length
	219	* of seedlen, however other uses of this algorithm pad the input with
	220	* zeroes if necessary and have up to two parameters XORed together,
75e2c877	221	* so we handle both cases in this function instead.
12fb8c3d	222	*/
dbdcc04f KR	223	__owur static int ctr_update(RAND_DRBG *drbg,
	224	const unsigned char *in1, size_t in1len,
	225	const unsigned char *in2, size_t in2len,
	226	const unsigned char *nonce, size_t noncelen)
12fb8c3d	227	{
8212d505	228	RAND_DRBG_CTR *ctr = &drbg->data.ctr;
dbdcc04f	229	int outlen = AES_BLOCK_SIZE;
28bdbe1a PS	230	unsigned char V_tmp[48], out[48];
28bdbe1a PS	231	unsigned char len;
12fb8c3d	232
dbdcc04f	233	/* correct key is already set up. */
28bdbe1a	234	memcpy(V_tmp, ctr->V, 16);
75e2c877	235	inc_128(ctr);
28bdbe1a PS	236	memcpy(V_tmp + 16, ctr->V, 16);
	237	if (ctr->keylen == 16) {
	238	len = 32;
	239	} else {
75e2c877	240	inc_128(ctr);
28bdbe1a PS	241	memcpy(V_tmp + 32, ctr->V, 16);
28bdbe1a PS	242	len = 48;
12fb8c3d	243	}
28bdbe1a PS	244	if (!EVP_CipherUpdate(ctr->ctx_ecb, out, &outlen, V_tmp, len)
28bdbe1a PS	245	\|\| outlen != len)
dbdcc04f	246	return 0;
28bdbe1a PS	247	memcpy(ctr->K, out, ctr->keylen);
28bdbe1a PS	248	memcpy(ctr->V, out + ctr->keylen, 16);
12fb8c3d	249
8164d91d	250	if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
12fb8c3d RS	251	/* If no input reuse existing derived value */
12fb8c3d RS	252	if (in1 != NULL \|\| nonce != NULL \|\| in2 != NULL)
dbdcc04f KR	253	if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
dbdcc04f KR	254	return 0;
12fb8c3d RS	255	/* If this a reuse input in1len != 0 */
12fb8c3d RS	256	if (in1len)
75e2c877	257	ctr_XOR(ctr, ctr->KX, drbg->seedlen);
12fb8c3d	258	} else {
75e2c877 RS	259	ctr_XOR(ctr, in1, in1len);
75e2c877 RS	260	ctr_XOR(ctr, in2, in2len);
12fb8c3d RS	261	}
12fb8c3d RS	262
28bdbe1a PS	263	if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1)
28bdbe1a PS	264	\|\| !EVP_CipherInit_ex(ctr->ctx_ctr, NULL, NULL, ctr->K, NULL, -1))
dbdcc04f KR	265	return 0;
dbdcc04f KR	266	return 1;
12fb8c3d RS	267	}
12fb8c3d RS	268
dbdcc04f KR	269	__owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
	270	const unsigned char *entropy, size_t entropylen,
	271	const unsigned char *nonce, size_t noncelen,
	272	const unsigned char *pers, size_t perslen)
12fb8c3d	273	{
8212d505	274	RAND_DRBG_CTR *ctr = &drbg->data.ctr;
12fb8c3d	275
aa048aef	276	if (entropy == NULL)
4c78ba59 DSH	277	return 0;
4c78ba59 DSH	278
75e2c877 RS	279	memset(ctr->K, 0, sizeof(ctr->K));
75e2c877 RS	280	memset(ctr->V, 0, sizeof(ctr->V));
28bdbe1a	281	if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1))
dbdcc04f	282	return 0;
28bdbe1a PS	283
28bdbe1a PS	284	inc_128(ctr);
dbdcc04f KR	285	if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
dbdcc04f KR	286	return 0;
12fb8c3d RS	287	return 1;
	288	}
	289
dbdcc04f KR	290	__owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
	291	const unsigned char *entropy, size_t entropylen,
	292	const unsigned char *adin, size_t adinlen)
12fb8c3d	293	{
28bdbe1a PS	294	RAND_DRBG_CTR *ctr = &drbg->data.ctr;
28bdbe1a PS	295
aa048aef	296	if (entropy == NULL)
4c78ba59	297	return 0;
28bdbe1a PS	298
28bdbe1a PS	299	inc_128(ctr);
dbdcc04f KR	300	if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
dbdcc04f KR	301	return 0;
12fb8c3d RS	302	return 1;
	303	}
	304
28bdbe1a PS	305	static void ctr96_inc(unsigned char *counter)
	306	{
	307	u32 n = 12, c = 1;
	308
	309	do {
	310	--n;
	311	c += counter[n];
	312	counter[n] = (u8)c;
	313	c >>= 8;
	314	} while (n);
	315	}
	316
dbdcc04f KR	317	__owur static int drbg_ctr_generate(RAND_DRBG *drbg,
	318	unsigned char *out, size_t outlen,
	319	const unsigned char *adin, size_t adinlen)
12fb8c3d	320	{
8212d505	321	RAND_DRBG_CTR *ctr = &drbg->data.ctr;
28bdbe1a PS	322	unsigned int ctr32, blocks;
28bdbe1a PS	323	int outl, buflen;
12fb8c3d RS	324
12fb8c3d RS	325	if (adin != NULL && adinlen != 0) {
28bdbe1a PS	326	inc_128(ctr);
28bdbe1a PS	327
dbdcc04f KR	328	if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
dbdcc04f KR	329	return 0;
12fb8c3d	330	/* This means we reuse derived value */
8164d91d	331	if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
12fb8c3d RS	332	adin = NULL;
	333	adinlen = 1;
	334	}
	335	} else {
	336	adinlen = 0;
	337	}
	338
28bdbe1a	339	inc_128(ctr);
dbdcc04f	340
28bdbe1a	341	if (outlen == 0) {
75e2c877	342	inc_128(ctr);
28bdbe1a PS	343
28bdbe1a PS	344	if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
dbdcc04f	345	return 0;
28bdbe1a	346	return 1;
12fb8c3d RS	347	}
12fb8c3d RS	348
28bdbe1a PS	349	memset(out, 0, outlen);
	350
	351	do {
	352	if (!EVP_CipherInit_ex(ctr->ctx_ctr,
	353	NULL, NULL, NULL, ctr->V, -1))
	354	return 0;
	355
	356	/*-
	357	* outlen has type size_t while EVP_CipherUpdate takes an
	358	* int argument and thus cannot be guaranteed to process more
	359	* than 2^31-1 bytes at a time. We process such huge generate
	360	* requests in 2^30 byte chunks, which is the greatest multiple
	361	* of AES block size lower than or equal to 2^31-1.
	362	*/
	363	buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
	364	blocks = (buflen + 15) / 16;
	365
	366	ctr32 = GETU32(ctr->V + 12) + blocks;
	367	if (ctr32 < blocks) {
	368	/* 32-bit counter overflow into V. */
42fa3e66 BE	369	if (ctr32 != 0) {
	370	blocks -= ctr32;
	371	buflen = blocks * 16;
	372	ctr32 = 0;
	373	}
28bdbe1a PS	374	ctr96_inc(ctr->V);
	375	}
	376	PUTU32(ctr->V + 12, ctr32);
	377
	378	if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
	379	\|\| outl != buflen)
	380	return 0;
	381
	382	out += buflen;
	383	outlen -= buflen;
	384	} while (outlen);
	385
dbdcc04f KR	386	if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
dbdcc04f KR	387	return 0;
12fb8c3d RS	388	return 1;
	389	}
	390
8212d505	391	static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
12fb8c3d	392	{
28bdbe1a PS	393	EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ecb);
28bdbe1a PS	394	EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ctr);
dbdcc04f	395	EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
28bdbe1a PS	396	EVP_CIPHER_free(drbg->data.ctr.cipher_ecb);
28bdbe1a PS	397	EVP_CIPHER_free(drbg->data.ctr.cipher_ctr);
8212d505	398	OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
12fb8c3d RS	399	return 1;
	400	}
	401
8212d505 DMSP	402	static RAND_DRBG_METHOD drbg_ctr_meth = {
	403	drbg_ctr_instantiate,
	404	drbg_ctr_reseed,
	405	drbg_ctr_generate,
	406	drbg_ctr_uninstantiate
	407	};
	408
	409	int drbg_ctr_init(RAND_DRBG *drbg)
12fb8c3d	410	{
8212d505	411	RAND_DRBG_CTR *ctr = &drbg->data.ctr;
12fb8c3d	412	size_t keylen;
28bdbe1a PS	413	EVP_CIPHER *cipher_ecb = NULL;
28bdbe1a PS	414	EVP_CIPHER *cipher_ctr = NULL;
12fb8c3d	415
31393fd9	416	switch (drbg->type) {
12fb8c3d RS	417	default:
12fb8c3d RS	418	/* This can't happen, but silence the compiler warning. */
efb8128a	419	return 0;
12fb8c3d RS	420	case NID_aes_128_ctr:
12fb8c3d RS	421	keylen = 16;
28bdbe1a PS	422	cipher_ecb = EVP_CIPHER_fetch(drbg->libctx, "AES-128-ECB", "");
28bdbe1a PS	423	cipher_ctr = EVP_CIPHER_fetch(drbg->libctx, "AES-128-CTR", "");
12fb8c3d RS	424	break;
	425	case NID_aes_192_ctr:
	426	keylen = 24;
28bdbe1a PS	427	cipher_ecb = EVP_CIPHER_fetch(drbg->libctx, "AES-192-ECB", "");
28bdbe1a PS	428	cipher_ctr = EVP_CIPHER_fetch(drbg->libctx, "AES-192-CTR", "");
12fb8c3d RS	429	break;
	430	case NID_aes_256_ctr:
	431	keylen = 32;
28bdbe1a PS	432	cipher_ecb = EVP_CIPHER_fetch(drbg->libctx, "AES-256-ECB", "");
28bdbe1a PS	433	cipher_ctr = EVP_CIPHER_fetch(drbg->libctx, "AES-256-CTR", "");
12fb8c3d RS	434	break;
12fb8c3d RS	435	}
28bdbe1a	436	if (cipher_ecb == NULL \|\| cipher_ctr == NULL)
57ca171a MC	437	return 0;
57ca171a MC	438
28bdbe1a PS	439	EVP_CIPHER_free(ctr->cipher_ecb);
	440	ctr->cipher_ecb = cipher_ecb;
	441	EVP_CIPHER_free(ctr->cipher_ctr);
	442	ctr->cipher_ctr = cipher_ctr;
8212d505	443
75e2c877	444	ctr->keylen = keylen;
28bdbe1a PS	445	if (ctr->ctx_ecb == NULL)
	446	ctr->ctx_ecb = EVP_CIPHER_CTX_new();
	447	if (ctr->ctx_ctr == NULL)
	448	ctr->ctx_ctr = EVP_CIPHER_CTX_new();
	449	if (ctr->ctx_ecb == NULL \|\| ctr->ctx_ctr == NULL
	450	\|\| !EVP_CipherInit_ex(ctr->ctx_ecb,
	451	ctr->cipher_ecb, NULL, NULL, NULL, 1)
	452	\|\| !EVP_CipherInit_ex(ctr->ctx_ctr,
	453	ctr->cipher_ctr, NULL, NULL, NULL, 1))
dbdcc04f	454	return 0;
28bdbe1a PS	455
28bdbe1a PS	456	drbg->meth = &drbg_ctr_meth;
75e2c877 RS	457	drbg->strength = keylen * 8;
75e2c877 RS	458	drbg->seedlen = keylen + 16;
12fb8c3d	459
8164d91d	460	if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
12fb8c3d	461	/* df initialisation */
dbdcc04f	462	static const unsigned char df_key[32] = {
c2e33a05 F	463	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
	464	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
	465	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
	466	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
12fb8c3d	467	};
dbdcc04f KR	468
	469	if (ctr->ctx_df == NULL)
	470	ctr->ctx_df = EVP_CIPHER_CTX_new();
	471	if (ctr->ctx_df == NULL)
	472	return 0;
12fb8c3d	473	/* Set key schedule for df_key */
28bdbe1a PS	474	if (!EVP_CipherInit_ex(ctr->ctx_df,
28bdbe1a PS	475	ctr->cipher_ecb, NULL, df_key, NULL, 1))
dbdcc04f	476	return 0;
75e2c877	477
aa048aef	478	drbg->min_entropylen = ctr->keylen;
3064b551	479	drbg->max_entropylen = DRBG_MAX_LENGTH;
aa048aef	480	drbg->min_noncelen = drbg->min_entropylen / 2;
3064b551	481	drbg->max_noncelen = DRBG_MAX_LENGTH;
aa048aef DMSP	482	drbg->max_perslen = DRBG_MAX_LENGTH;
aa048aef DMSP	483	drbg->max_adinlen = DRBG_MAX_LENGTH;
12fb8c3d	484	} else {
f844f9eb	485	#ifdef FIPS_MODULE
6c7d80ab P	486	RANDerr(RAND_F_DRBG_CTR_INIT,
	487	RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS);
	488	return 0;
	489	#else
aa048aef DMSP	490	drbg->min_entropylen = drbg->seedlen;
aa048aef DMSP	491	drbg->max_entropylen = drbg->seedlen;
12fb8c3d	492	/* Nonce not used */
aa048aef DMSP	493	drbg->min_noncelen = 0;
	494	drbg->max_noncelen = 0;
	495	drbg->max_perslen = drbg->seedlen;
	496	drbg->max_adinlen = drbg->seedlen;
6c7d80ab	497	#endif
12fb8c3d RS	498	}
12fb8c3d RS	499
75e2c877	500	drbg->max_request = 1 << 16;
4917e911	501
12fb8c3d RS	502	return 1;
12fb8c3d RS	503	}