From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 29 Jan 2026 23:13:35 +0000 (+0900)
Subject: Expose drbg_ctr_aes256_update
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ea42429cacad267e60d49432bbeb25e4dc042562;p=thirdparty%2Fnettle.git

Expose drbg_ctr_aes256_update

To adhere to FIPS 140-3, the CTR_DRBG instance shall be reseeded after
a certain number of generation requests (2^48, according to SP800 90A
10.2.1, table 3). To allow applications to implement that restriction,
expose drbg_ctr_aes256_update as a public function.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---

diff --git a/drbg-ctr-aes256.c b/drbg-ctr-aes256.c
index a62b62ec..d9fdae89 100644
--- a/drbg-ctr-aes256.c
+++ b/drbg-ctr-aes256.c
@@ -59,20 +59,18 @@ drbg_ctr_aes256_output (const struct aes256_ctx *key, union nettle_block16 *V,
     }
 }
 
-/* provided_data is either NULL or a pointer to
-   DRBG_CTR_AES256_SEED_SIZE (= 48) bytes. */
-static void
-drbg_ctr_aes256_update (struct aes256_ctx *key,
-			union nettle_block16 *V, const uint8_t *provided_data)
+void
+drbg_ctr_aes256_update (struct drbg_ctr_aes256_ctx *ctx,
+			const uint8_t *provided_data)
 {
   union nettle_block16 tmp[3];
-  drbg_ctr_aes256_output (key, V, DRBG_CTR_AES256_SEED_SIZE, tmp[0].b);
+  drbg_ctr_aes256_output (&ctx->key, &ctx->V, DRBG_CTR_AES256_SEED_SIZE, tmp[0].b);
 
   if (provided_data)
     memxor (tmp[0].b, provided_data, DRBG_CTR_AES256_SEED_SIZE);
 
-  aes256_set_encrypt_key (key, tmp[0].b);
-  block16_set (V, &tmp[2]);
+  aes256_set_encrypt_key (&ctx->key, tmp[0].b);
+  block16_set (&ctx->V, &tmp[2]);
 }
 
 void
@@ -83,7 +81,7 @@ drbg_ctr_aes256_init (struct drbg_ctr_aes256_ctx *ctx, uint8_t *seed_material)
   aes256_set_encrypt_key (&ctx->key, zero_key);
 
   block16_zero (&ctx->V);
-  drbg_ctr_aes256_update (&ctx->key, &ctx->V, seed_material);
+  drbg_ctr_aes256_update (ctx, seed_material);
 }
 
 void
@@ -91,5 +89,5 @@ drbg_ctr_aes256_random (struct drbg_ctr_aes256_ctx *ctx,
 			size_t n, uint8_t *dst)
 {
   drbg_ctr_aes256_output (&ctx->key, &ctx->V, n, dst);
-  drbg_ctr_aes256_update (&ctx->key, &ctx->V, NULL);
+  drbg_ctr_aes256_update (ctx, NULL);
 }
diff --git a/drbg-ctr.h b/drbg-ctr.h
index 803610f9..f911d5e7 100644
--- a/drbg-ctr.h
+++ b/drbg-ctr.h
@@ -42,6 +42,7 @@ extern "C"
 /* Namespace mangling */
 #define drbg_ctr_aes256_init nettle_drbg_ctr_aes256_init
 #define drbg_ctr_aes256_random nettle_drbg_ctr_aes256_random
+#define drbg_ctr_aes256_update nettle_drbg_ctr_aes256_update
 
 #define DRBG_CTR_AES256_SEED_SIZE (AES_BLOCK_SIZE + AES256_KEY_SIZE)
 
@@ -62,6 +63,13 @@ void
 drbg_ctr_aes256_random (struct drbg_ctr_aes256_ctx *ctx,
 			size_t n, uint8_t *dst);
 
+/* Update the internal state of CTX with PROVIDED_DATA. PROVIDED_DATA
+   is either NULL or a pointer to DRBG_CTR_AES256_SEED_SIZE (= 48)
+   bytes. */
+void
+drbg_ctr_aes256_update (struct drbg_ctr_aes256_ctx *ctx,
+			const uint8_t *provided_data);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/nettle.texinfo b/nettle.texinfo
index 7f61a5c1..eccd92bd 100644
--- a/nettle.texinfo
+++ b/nettle.texinfo
@@ -6214,9 +6214,12 @@ of deterministic randomness generators published by NIST in SP 800-90A.
 We support what we believe is the reasonable parts of the CTR_DRBG
 algorithm for AES256.  Re-seeding, personalization strings, derivation
 functions and support for non-AES256 is not implemented.
-Personalization strings can be implemented by the caller, if desired,
-with xor.  If you need re-seeding or entropy derivation, we suggest that
-you use Yarrow instead.
+
+Re-seeding and personalization strings can be implemented by the
+caller, if desired.  To implement re-seeding, use
+@code{drbg_ctr_aes256_update}.  Similarly, personalization strings can
+be implemented with @code{memxor}.  If you need entropy derivation, we
+suggest that you use Yarrow instead.
 
 The security bounds of DRBG-CTR are not intuitive, see ``Security Bounds
 for the NIST Codebook-based Deterministic Random Bit Generator'' by
@@ -6243,6 +6246,11 @@ Initialize the DRBG-CTR-AES256 context using
 @deftypefun void drbg_ctr_aes256_random (struct drbg_ctr_aes256_ctx *@var{ctx}, size_t n, uint8_t *@var{dst})
 Generates @var{n} octets of output into @var{dst}.  The generator must
 be initialized before you call this function.
+
+@deftypefun void drbg_ctr_aes256_update (struct drbg_ctr_aes256_ctx *@var{ctx}, const uint8_t *@var{provided_data})
+Updates the internal state of @var{ctx} with @var{provided_data},
+which is either NULL or a pointer to data of
+@code{DRBG_CTR_AES256_SEED_SIZE} octets. This function is used for re-seeding.
 @end deftypefun
 
 @node ASCII encoding