drbg_ctr.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438
  1. /*
  2. * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdlib.h>
  10. #include <string.h>
  11. #include <openssl/crypto.h>
  12. #include <openssl/err.h>
  13. #include <openssl/rand.h>
  14. #include "internal/thread_once.h"
  15. #include "internal/thread_once.h"
  16. #include "rand_lcl.h"
  17. /*
  18. * Implementation of NIST SP 800-90A CTR DRBG.
  19. */
  20. static void inc_128(RAND_DRBG_CTR *ctr)
  21. {
  22. int i;
  23. unsigned char c;
  24. unsigned char *p = &ctr->V[15];
  25. for (i = 0; i < 16; i++, p--) {
  26. c = *p;
  27. c++;
  28. *p = c;
  29. if (c != 0) {
  30. /* If we didn't wrap around, we're done. */
  31. break;
  32. }
  33. }
  34. }
  35. static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
  36. {
  37. size_t i, n;
  38. if (in == NULL || inlen == 0)
  39. return;
  40. /*
  41. * Any zero padding will have no effect on the result as we
  42. * are XORing. So just process however much input we have.
  43. */
  44. n = inlen < ctr->keylen ? inlen : ctr->keylen;
  45. for (i = 0; i < n; i++)
  46. ctr->K[i] ^= in[i];
  47. if (inlen <= ctr->keylen)
  48. return;
  49. n = inlen - ctr->keylen;
  50. if (n > 16) {
  51. /* Should never happen */
  52. n = 16;
  53. }
  54. for (i = 0; i < n; i++)
  55. ctr->V[i] ^= in[i + ctr->keylen];
  56. }
  57. /*
  58. * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
  59. */
  60. __owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
  61. const unsigned char *in)
  62. {
  63. int i, outlen = AES_BLOCK_SIZE;
  64. for (i = 0; i < 16; i++)
  65. out[i] ^= in[i];
  66. if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, AES_BLOCK_SIZE)
  67. || outlen != AES_BLOCK_SIZE)
  68. return 0;
  69. return 1;
  70. }
  71. /*
  72. * Handle several BCC operations for as much data as we need for K and X
  73. */
  74. __owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
  75. {
  76. if (!ctr_BCC_block(ctr, ctr->KX, in)
  77. || !ctr_BCC_block(ctr, ctr->KX + 16, in))
  78. return 0;
  79. if (ctr->keylen != 16 && !ctr_BCC_block(ctr, ctr->KX + 32, in))
  80. return 0;
  81. return 1;
  82. }
  83. /*
  84. * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
  85. * see 10.3.1 stage 7.
  86. */
  87. __owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
  88. {
  89. memset(ctr->KX, 0, 48);
  90. memset(ctr->bltmp, 0, 16);
  91. if (!ctr_BCC_block(ctr, ctr->KX, ctr->bltmp))
  92. return 0;
  93. ctr->bltmp[3] = 1;
  94. if (!ctr_BCC_block(ctr, ctr->KX + 16, ctr->bltmp))
  95. return 0;
  96. if (ctr->keylen != 16) {
  97. ctr->bltmp[3] = 2;
  98. if (!ctr_BCC_block(ctr, ctr->KX + 32, ctr->bltmp))
  99. return 0;
  100. }
  101. return 1;
  102. }
  103. /*
  104. * Process several blocks into BCC algorithm, some possibly partial
  105. */
  106. __owur static int ctr_BCC_update(RAND_DRBG_CTR *ctr,
  107. const unsigned char *in, size_t inlen)
  108. {
  109. if (in == NULL || inlen == 0)
  110. return 1;
  111. /* If we have partial block handle it first */
  112. if (ctr->bltmp_pos) {
  113. size_t left = 16 - ctr->bltmp_pos;
  114. /* If we now have a complete block process it */
  115. if (inlen >= left) {
  116. memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
  117. if (!ctr_BCC_blocks(ctr, ctr->bltmp))
  118. return 0;
  119. ctr->bltmp_pos = 0;
  120. inlen -= left;
  121. in += left;
  122. }
  123. }
  124. /* Process zero or more complete blocks */
  125. for (; inlen >= 16; in += 16, inlen -= 16) {
  126. if (!ctr_BCC_blocks(ctr, in))
  127. return 0;
  128. }
  129. /* Copy any remaining partial block to the temporary buffer */
  130. if (inlen > 0) {
  131. memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
  132. ctr->bltmp_pos += inlen;
  133. }
  134. return 1;
  135. }
  136. __owur static int ctr_BCC_final(RAND_DRBG_CTR *ctr)
  137. {
  138. if (ctr->bltmp_pos) {
  139. memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
  140. if (!ctr_BCC_blocks(ctr, ctr->bltmp))
  141. return 0;
  142. }
  143. return 1;
  144. }
  145. __owur static int ctr_df(RAND_DRBG_CTR *ctr,
  146. const unsigned char *in1, size_t in1len,
  147. const unsigned char *in2, size_t in2len,
  148. const unsigned char *in3, size_t in3len)
  149. {
  150. static unsigned char c80 = 0x80;
  151. size_t inlen;
  152. unsigned char *p = ctr->bltmp;
  153. int outlen = AES_BLOCK_SIZE;
  154. if (!ctr_BCC_init(ctr))
  155. return 0;
  156. if (in1 == NULL)
  157. in1len = 0;
  158. if (in2 == NULL)
  159. in2len = 0;
  160. if (in3 == NULL)
  161. in3len = 0;
  162. inlen = in1len + in2len + in3len;
  163. /* Initialise L||N in temporary block */
  164. *p++ = (inlen >> 24) & 0xff;
  165. *p++ = (inlen >> 16) & 0xff;
  166. *p++ = (inlen >> 8) & 0xff;
  167. *p++ = inlen & 0xff;
  168. /* NB keylen is at most 32 bytes */
  169. *p++ = 0;
  170. *p++ = 0;
  171. *p++ = 0;
  172. *p = (unsigned char)((ctr->keylen + 16) & 0xff);
  173. ctr->bltmp_pos = 8;
  174. if (!ctr_BCC_update(ctr, in1, in1len)
  175. || !ctr_BCC_update(ctr, in2, in2len)
  176. || !ctr_BCC_update(ctr, in3, in3len)
  177. || !ctr_BCC_update(ctr, &c80, 1)
  178. || !ctr_BCC_final(ctr))
  179. return 0;
  180. /* Set up key K */
  181. if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->KX, NULL, 1))
  182. return 0;
  183. /* X follows key K */
  184. if (!EVP_CipherUpdate(ctr->ctx, ctr->KX, &outlen, ctr->KX + ctr->keylen,
  185. AES_BLOCK_SIZE)
  186. || outlen != AES_BLOCK_SIZE)
  187. return 0;
  188. if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 16, &outlen, ctr->KX,
  189. AES_BLOCK_SIZE)
  190. || outlen != AES_BLOCK_SIZE)
  191. return 0;
  192. if (ctr->keylen != 16)
  193. if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 32, &outlen, ctr->KX + 16,
  194. AES_BLOCK_SIZE)
  195. || outlen != AES_BLOCK_SIZE)
  196. return 0;
  197. return 1;
  198. }
  199. /*
  200. * NB the no-df Update in SP800-90A specifies a constant input length
  201. * of seedlen, however other uses of this algorithm pad the input with
  202. * zeroes if necessary and have up to two parameters XORed together,
  203. * so we handle both cases in this function instead.
  204. */
  205. __owur static int ctr_update(RAND_DRBG *drbg,
  206. const unsigned char *in1, size_t in1len,
  207. const unsigned char *in2, size_t in2len,
  208. const unsigned char *nonce, size_t noncelen)
  209. {
  210. RAND_DRBG_CTR *ctr = &drbg->data.ctr;
  211. int outlen = AES_BLOCK_SIZE;
  212. /* correct key is already set up. */
  213. inc_128(ctr);
  214. if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outlen, ctr->V, AES_BLOCK_SIZE)
  215. || outlen != AES_BLOCK_SIZE)
  216. return 0;
  217. /* If keylen longer than 128 bits need extra encrypt */
  218. if (ctr->keylen != 16) {
  219. inc_128(ctr);
  220. if (!EVP_CipherUpdate(ctr->ctx, ctr->K+16, &outlen, ctr->V,
  221. AES_BLOCK_SIZE)
  222. || outlen != AES_BLOCK_SIZE)
  223. return 0;
  224. }
  225. inc_128(ctr);
  226. if (!EVP_CipherUpdate(ctr->ctx, ctr->V, &outlen, ctr->V, AES_BLOCK_SIZE)
  227. || outlen != AES_BLOCK_SIZE)
  228. return 0;
  229. /* If 192 bit key part of V is on end of K */
  230. if (ctr->keylen == 24) {
  231. memcpy(ctr->V + 8, ctr->V, 8);
  232. memcpy(ctr->V, ctr->K + 24, 8);
  233. }
  234. if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
  235. /* If no input reuse existing derived value */
  236. if (in1 != NULL || nonce != NULL || in2 != NULL)
  237. if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
  238. return 0;
  239. /* If this a reuse input in1len != 0 */
  240. if (in1len)
  241. ctr_XOR(ctr, ctr->KX, drbg->seedlen);
  242. } else {
  243. ctr_XOR(ctr, in1, in1len);
  244. ctr_XOR(ctr, in2, in2len);
  245. }
  246. if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
  247. return 0;
  248. return 1;
  249. }
  250. __owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
  251. const unsigned char *entropy, size_t entropylen,
  252. const unsigned char *nonce, size_t noncelen,
  253. const unsigned char *pers, size_t perslen)
  254. {
  255. RAND_DRBG_CTR *ctr = &drbg->data.ctr;
  256. if (entropy == NULL)
  257. return 0;
  258. memset(ctr->K, 0, sizeof(ctr->K));
  259. memset(ctr->V, 0, sizeof(ctr->V));
  260. if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
  261. return 0;
  262. if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
  263. return 0;
  264. return 1;
  265. }
  266. __owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
  267. const unsigned char *entropy, size_t entropylen,
  268. const unsigned char *adin, size_t adinlen)
  269. {
  270. if (entropy == NULL)
  271. return 0;
  272. if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
  273. return 0;
  274. return 1;
  275. }
  276. __owur static int drbg_ctr_generate(RAND_DRBG *drbg,
  277. unsigned char *out, size_t outlen,
  278. const unsigned char *adin, size_t adinlen)
  279. {
  280. RAND_DRBG_CTR *ctr = &drbg->data.ctr;
  281. if (adin != NULL && adinlen != 0) {
  282. if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
  283. return 0;
  284. /* This means we reuse derived value */
  285. if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
  286. adin = NULL;
  287. adinlen = 1;
  288. }
  289. } else {
  290. adinlen = 0;
  291. }
  292. for ( ; ; ) {
  293. int outl = AES_BLOCK_SIZE;
  294. inc_128(ctr);
  295. if (outlen < 16) {
  296. /* Use K as temp space as it will be updated */
  297. if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outl, ctr->V,
  298. AES_BLOCK_SIZE)
  299. || outl != AES_BLOCK_SIZE)
  300. return 0;
  301. memcpy(out, ctr->K, outlen);
  302. break;
  303. }
  304. if (!EVP_CipherUpdate(ctr->ctx, out, &outl, ctr->V, AES_BLOCK_SIZE)
  305. || outl != AES_BLOCK_SIZE)
  306. return 0;
  307. out += 16;
  308. outlen -= 16;
  309. if (outlen == 0)
  310. break;
  311. }
  312. if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
  313. return 0;
  314. return 1;
  315. }
  316. static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
  317. {
  318. EVP_CIPHER_CTX_free(drbg->data.ctr.ctx);
  319. EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
  320. OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
  321. return 1;
  322. }
  323. static RAND_DRBG_METHOD drbg_ctr_meth = {
  324. drbg_ctr_instantiate,
  325. drbg_ctr_reseed,
  326. drbg_ctr_generate,
  327. drbg_ctr_uninstantiate
  328. };
  329. int drbg_ctr_init(RAND_DRBG *drbg)
  330. {
  331. RAND_DRBG_CTR *ctr = &drbg->data.ctr;
  332. size_t keylen;
  333. switch (drbg->type) {
  334. default:
  335. /* This can't happen, but silence the compiler warning. */
  336. return 0;
  337. case NID_aes_128_ctr:
  338. keylen = 16;
  339. ctr->cipher = EVP_aes_128_ecb();
  340. break;
  341. case NID_aes_192_ctr:
  342. keylen = 24;
  343. ctr->cipher = EVP_aes_192_ecb();
  344. break;
  345. case NID_aes_256_ctr:
  346. keylen = 32;
  347. ctr->cipher = EVP_aes_256_ecb();
  348. break;
  349. }
  350. drbg->meth = &drbg_ctr_meth;
  351. ctr->keylen = keylen;
  352. if (ctr->ctx == NULL)
  353. ctr->ctx = EVP_CIPHER_CTX_new();
  354. if (ctr->ctx == NULL)
  355. return 0;
  356. drbg->strength = keylen * 8;
  357. drbg->seedlen = keylen + 16;
  358. if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
  359. /* df initialisation */
  360. static const unsigned char df_key[32] = {
  361. 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
  362. 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
  363. 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
  364. 0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
  365. };
  366. if (ctr->ctx_df == NULL)
  367. ctr->ctx_df = EVP_CIPHER_CTX_new();
  368. if (ctr->ctx_df == NULL)
  369. return 0;
  370. /* Set key schedule for df_key */
  371. if (!EVP_CipherInit_ex(ctr->ctx_df, ctr->cipher, NULL, df_key, NULL, 1))
  372. return 0;
  373. drbg->min_entropylen = ctr->keylen;
  374. drbg->max_entropylen = DRBG_MINMAX_FACTOR * drbg->min_entropylen;
  375. drbg->min_noncelen = drbg->min_entropylen / 2;
  376. drbg->max_noncelen = DRBG_MINMAX_FACTOR * drbg->min_noncelen;
  377. drbg->max_perslen = DRBG_MAX_LENGTH;
  378. drbg->max_adinlen = DRBG_MAX_LENGTH;
  379. } else {
  380. drbg->min_entropylen = drbg->seedlen;
  381. drbg->max_entropylen = drbg->seedlen;
  382. /* Nonce not used */
  383. drbg->min_noncelen = 0;
  384. drbg->max_noncelen = 0;
  385. drbg->max_perslen = drbg->seedlen;
  386. drbg->max_adinlen = drbg->seedlen;
  387. }
  388. drbg->max_request = 1 << 16;
  389. return 1;
  390. }