drbg_ctr.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450
  1. /*
  2. * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdlib.h>
  10. #include <string.h>
  11. #include <openssl/crypto.h>
  12. #include <openssl/err.h>
  13. #include <openssl/rand.h>
  14. #include "internal/thread_once.h"
  15. #include "rand_local.h"
  16. /*
  17. * Implementation of NIST SP 800-90A CTR DRBG.
  18. */
  19. static void inc_128(RAND_DRBG_CTR *ctr)
  20. {
  21. int i;
  22. unsigned char c;
  23. unsigned char *p = &ctr->V[15];
  24. for (i = 0; i < 16; i++, p--) {
  25. c = *p;
  26. c++;
  27. *p = c;
  28. if (c != 0) {
  29. /* If we didn't wrap around, we're done. */
  30. break;
  31. }
  32. }
  33. }
  34. static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
  35. {
  36. size_t i, n;
  37. if (in == NULL || inlen == 0)
  38. return;
  39. /*
  40. * Any zero padding will have no effect on the result as we
  41. * are XORing. So just process however much input we have.
  42. */
  43. n = inlen < ctr->keylen ? inlen : ctr->keylen;
  44. for (i = 0; i < n; i++)
  45. ctr->K[i] ^= in[i];
  46. if (inlen <= ctr->keylen)
  47. return;
  48. n = inlen - ctr->keylen;
  49. if (n > 16) {
  50. /* Should never happen */
  51. n = 16;
  52. }
  53. for (i = 0; i < n; i++)
  54. ctr->V[i] ^= in[i + ctr->keylen];
  55. }
  56. /*
  57. * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
  58. */
  59. __owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
  60. const unsigned char *in)
  61. {
  62. int i, outlen = AES_BLOCK_SIZE;
  63. for (i = 0; i < 16; i++)
  64. out[i] ^= in[i];
  65. if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, AES_BLOCK_SIZE)
  66. || outlen != AES_BLOCK_SIZE)
  67. return 0;
  68. return 1;
  69. }
  70. /*
  71. * Handle several BCC operations for as much data as we need for K and X
  72. */
  73. __owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
  74. {
  75. if (!ctr_BCC_block(ctr, ctr->KX, in)
  76. || !ctr_BCC_block(ctr, ctr->KX + 16, in))
  77. return 0;
  78. if (ctr->keylen != 16 && !ctr_BCC_block(ctr, ctr->KX + 32, in))
  79. return 0;
  80. return 1;
  81. }
  82. /*
  83. * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
  84. * see 10.3.1 stage 7.
  85. */
  86. __owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
  87. {
  88. memset(ctr->KX, 0, 48);
  89. memset(ctr->bltmp, 0, 16);
  90. if (!ctr_BCC_block(ctr, ctr->KX, ctr->bltmp))
  91. return 0;
  92. ctr->bltmp[3] = 1;
  93. if (!ctr_BCC_block(ctr, ctr->KX + 16, ctr->bltmp))
  94. return 0;
  95. if (ctr->keylen != 16) {
  96. ctr->bltmp[3] = 2;
  97. if (!ctr_BCC_block(ctr, ctr->KX + 32, ctr->bltmp))
  98. return 0;
  99. }
  100. return 1;
  101. }
  102. /*
  103. * Process several blocks into BCC algorithm, some possibly partial
  104. */
  105. __owur static int ctr_BCC_update(RAND_DRBG_CTR *ctr,
  106. const unsigned char *in, size_t inlen)
  107. {
  108. if (in == NULL || inlen == 0)
  109. return 1;
  110. /* If we have partial block handle it first */
  111. if (ctr->bltmp_pos) {
  112. size_t left = 16 - ctr->bltmp_pos;
  113. /* If we now have a complete block process it */
  114. if (inlen >= left) {
  115. memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
  116. if (!ctr_BCC_blocks(ctr, ctr->bltmp))
  117. return 0;
  118. ctr->bltmp_pos = 0;
  119. inlen -= left;
  120. in += left;
  121. }
  122. }
  123. /* Process zero or more complete blocks */
  124. for (; inlen >= 16; in += 16, inlen -= 16) {
  125. if (!ctr_BCC_blocks(ctr, in))
  126. return 0;
  127. }
  128. /* Copy any remaining partial block to the temporary buffer */
  129. if (inlen > 0) {
  130. memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
  131. ctr->bltmp_pos += inlen;
  132. }
  133. return 1;
  134. }
  135. __owur static int ctr_BCC_final(RAND_DRBG_CTR *ctr)
  136. {
  137. if (ctr->bltmp_pos) {
  138. memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
  139. if (!ctr_BCC_blocks(ctr, ctr->bltmp))
  140. return 0;
  141. }
  142. return 1;
  143. }
  144. __owur static int ctr_df(RAND_DRBG_CTR *ctr,
  145. const unsigned char *in1, size_t in1len,
  146. const unsigned char *in2, size_t in2len,
  147. const unsigned char *in3, size_t in3len)
  148. {
  149. static unsigned char c80 = 0x80;
  150. size_t inlen;
  151. unsigned char *p = ctr->bltmp;
  152. int outlen = AES_BLOCK_SIZE;
  153. if (!ctr_BCC_init(ctr))
  154. return 0;
  155. if (in1 == NULL)
  156. in1len = 0;
  157. if (in2 == NULL)
  158. in2len = 0;
  159. if (in3 == NULL)
  160. in3len = 0;
  161. inlen = in1len + in2len + in3len;
  162. /* Initialise L||N in temporary block */
  163. *p++ = (inlen >> 24) & 0xff;
  164. *p++ = (inlen >> 16) & 0xff;
  165. *p++ = (inlen >> 8) & 0xff;
  166. *p++ = inlen & 0xff;
  167. /* NB keylen is at most 32 bytes */
  168. *p++ = 0;
  169. *p++ = 0;
  170. *p++ = 0;
  171. *p = (unsigned char)((ctr->keylen + 16) & 0xff);
  172. ctr->bltmp_pos = 8;
  173. if (!ctr_BCC_update(ctr, in1, in1len)
  174. || !ctr_BCC_update(ctr, in2, in2len)
  175. || !ctr_BCC_update(ctr, in3, in3len)
  176. || !ctr_BCC_update(ctr, &c80, 1)
  177. || !ctr_BCC_final(ctr))
  178. return 0;
  179. /* Set up key K */
  180. if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->KX, NULL, 1))
  181. return 0;
  182. /* X follows key K */
  183. if (!EVP_CipherUpdate(ctr->ctx, ctr->KX, &outlen, ctr->KX + ctr->keylen,
  184. AES_BLOCK_SIZE)
  185. || outlen != AES_BLOCK_SIZE)
  186. return 0;
  187. if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 16, &outlen, ctr->KX,
  188. AES_BLOCK_SIZE)
  189. || outlen != AES_BLOCK_SIZE)
  190. return 0;
  191. if (ctr->keylen != 16)
  192. if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 32, &outlen, ctr->KX + 16,
  193. AES_BLOCK_SIZE)
  194. || outlen != AES_BLOCK_SIZE)
  195. return 0;
  196. return 1;
  197. }
  198. /*
  199. * NB the no-df Update in SP800-90A specifies a constant input length
  200. * of seedlen, however other uses of this algorithm pad the input with
  201. * zeroes if necessary and have up to two parameters XORed together,
  202. * so we handle both cases in this function instead.
  203. */
  204. __owur static int ctr_update(RAND_DRBG *drbg,
  205. const unsigned char *in1, size_t in1len,
  206. const unsigned char *in2, size_t in2len,
  207. const unsigned char *nonce, size_t noncelen)
  208. {
  209. RAND_DRBG_CTR *ctr = &drbg->data.ctr;
  210. int outlen = AES_BLOCK_SIZE;
  211. /* correct key is already set up. */
  212. inc_128(ctr);
  213. if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outlen, ctr->V, AES_BLOCK_SIZE)
  214. || outlen != AES_BLOCK_SIZE)
  215. return 0;
  216. /* If keylen longer than 128 bits need extra encrypt */
  217. if (ctr->keylen != 16) {
  218. inc_128(ctr);
  219. if (!EVP_CipherUpdate(ctr->ctx, ctr->K+16, &outlen, ctr->V,
  220. AES_BLOCK_SIZE)
  221. || outlen != AES_BLOCK_SIZE)
  222. return 0;
  223. }
  224. inc_128(ctr);
  225. if (!EVP_CipherUpdate(ctr->ctx, ctr->V, &outlen, ctr->V, AES_BLOCK_SIZE)
  226. || outlen != AES_BLOCK_SIZE)
  227. return 0;
  228. /* If 192 bit key part of V is on end of K */
  229. if (ctr->keylen == 24) {
  230. memcpy(ctr->V + 8, ctr->V, 8);
  231. memcpy(ctr->V, ctr->K + 24, 8);
  232. }
  233. if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
  234. /* If no input reuse existing derived value */
  235. if (in1 != NULL || nonce != NULL || in2 != NULL)
  236. if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
  237. return 0;
  238. /* If this a reuse input in1len != 0 */
  239. if (in1len)
  240. ctr_XOR(ctr, ctr->KX, drbg->seedlen);
  241. } else {
  242. ctr_XOR(ctr, in1, in1len);
  243. ctr_XOR(ctr, in2, in2len);
  244. }
  245. if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
  246. return 0;
  247. return 1;
  248. }
  249. __owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
  250. const unsigned char *entropy, size_t entropylen,
  251. const unsigned char *nonce, size_t noncelen,
  252. const unsigned char *pers, size_t perslen)
  253. {
  254. RAND_DRBG_CTR *ctr = &drbg->data.ctr;
  255. if (entropy == NULL)
  256. return 0;
  257. memset(ctr->K, 0, sizeof(ctr->K));
  258. memset(ctr->V, 0, sizeof(ctr->V));
  259. if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
  260. return 0;
  261. if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
  262. return 0;
  263. return 1;
  264. }
  265. __owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
  266. const unsigned char *entropy, size_t entropylen,
  267. const unsigned char *adin, size_t adinlen)
  268. {
  269. if (entropy == NULL)
  270. return 0;
  271. if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
  272. return 0;
  273. return 1;
  274. }
  275. __owur static int drbg_ctr_generate(RAND_DRBG *drbg,
  276. unsigned char *out, size_t outlen,
  277. const unsigned char *adin, size_t adinlen)
  278. {
  279. RAND_DRBG_CTR *ctr = &drbg->data.ctr;
  280. if (adin != NULL && adinlen != 0) {
  281. if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
  282. return 0;
  283. /* This means we reuse derived value */
  284. if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
  285. adin = NULL;
  286. adinlen = 1;
  287. }
  288. } else {
  289. adinlen = 0;
  290. }
  291. for ( ; ; ) {
  292. int outl = AES_BLOCK_SIZE;
  293. inc_128(ctr);
  294. if (outlen < 16) {
  295. /* Use K as temp space as it will be updated */
  296. if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outl, ctr->V,
  297. AES_BLOCK_SIZE)
  298. || outl != AES_BLOCK_SIZE)
  299. return 0;
  300. memcpy(out, ctr->K, outlen);
  301. break;
  302. }
  303. if (!EVP_CipherUpdate(ctr->ctx, out, &outl, ctr->V, AES_BLOCK_SIZE)
  304. || outl != AES_BLOCK_SIZE)
  305. return 0;
  306. out += 16;
  307. outlen -= 16;
  308. if (outlen == 0)
  309. break;
  310. }
  311. if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
  312. return 0;
  313. return 1;
  314. }
  315. static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
  316. {
  317. EVP_CIPHER_CTX_free(drbg->data.ctr.ctx);
  318. EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
  319. EVP_CIPHER_free(drbg->data.ctr.cipher);
  320. OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
  321. return 1;
  322. }
  323. static RAND_DRBG_METHOD drbg_ctr_meth = {
  324. drbg_ctr_instantiate,
  325. drbg_ctr_reseed,
  326. drbg_ctr_generate,
  327. drbg_ctr_uninstantiate
  328. };
  329. int drbg_ctr_init(RAND_DRBG *drbg)
  330. {
  331. RAND_DRBG_CTR *ctr = &drbg->data.ctr;
  332. size_t keylen;
  333. EVP_CIPHER *cipher = NULL;
  334. switch (drbg->type) {
  335. default:
  336. /* This can't happen, but silence the compiler warning. */
  337. return 0;
  338. case NID_aes_128_ctr:
  339. keylen = 16;
  340. cipher = EVP_CIPHER_fetch(drbg->libctx, "AES-128-ECB", "");
  341. break;
  342. case NID_aes_192_ctr:
  343. keylen = 24;
  344. cipher = EVP_CIPHER_fetch(drbg->libctx, "AES-192-ECB", "");
  345. break;
  346. case NID_aes_256_ctr:
  347. keylen = 32;
  348. cipher = EVP_CIPHER_fetch(drbg->libctx, "AES-256-ECB", "");
  349. break;
  350. }
  351. if (cipher == NULL)
  352. return 0;
  353. EVP_CIPHER_free(ctr->cipher);
  354. ctr->cipher = cipher;
  355. drbg->meth = &drbg_ctr_meth;
  356. ctr->keylen = keylen;
  357. if (ctr->ctx == NULL)
  358. ctr->ctx = EVP_CIPHER_CTX_new();
  359. if (ctr->ctx == NULL)
  360. return 0;
  361. drbg->strength = keylen * 8;
  362. drbg->seedlen = keylen + 16;
  363. if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
  364. /* df initialisation */
  365. static const unsigned char df_key[32] = {
  366. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  367. 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
  368. 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
  369. 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
  370. };
  371. if (ctr->ctx_df == NULL)
  372. ctr->ctx_df = EVP_CIPHER_CTX_new();
  373. if (ctr->ctx_df == NULL)
  374. return 0;
  375. /* Set key schedule for df_key */
  376. if (!EVP_CipherInit_ex(ctr->ctx_df, ctr->cipher, NULL, df_key, NULL, 1))
  377. return 0;
  378. drbg->min_entropylen = ctr->keylen;
  379. drbg->max_entropylen = DRBG_MAX_LENGTH;
  380. drbg->min_noncelen = drbg->min_entropylen / 2;
  381. drbg->max_noncelen = DRBG_MAX_LENGTH;
  382. drbg->max_perslen = DRBG_MAX_LENGTH;
  383. drbg->max_adinlen = DRBG_MAX_LENGTH;
  384. } else {
  385. #ifdef FIPS_MODE
  386. RANDerr(RAND_F_DRBG_CTR_INIT,
  387. RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS);
  388. return 0;
  389. #else
  390. drbg->min_entropylen = drbg->seedlen;
  391. drbg->max_entropylen = drbg->seedlen;
  392. /* Nonce not used */
  393. drbg->min_noncelen = 0;
  394. drbg->max_noncelen = 0;
  395. drbg->max_perslen = drbg->seedlen;
  396. drbg->max_adinlen = drbg->seedlen;
  397. #endif
  398. }
  399. drbg->max_request = 1 << 16;
  400. return 1;
  401. }