drbg_ctr.c 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756
  1. /*
  2. * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdlib.h>
  10. #include <string.h>
  11. #include <openssl/crypto.h>
  12. #include <openssl/err.h>
  13. #include <openssl/rand.h>
  14. #include <openssl/aes.h>
  15. #include <openssl/proverr.h>
  16. #include "crypto/modes.h"
  17. #include "internal/thread_once.h"
  18. #include "prov/implementations.h"
  19. #include "prov/providercommon.h"
  20. #include "prov/provider_ctx.h"
  21. #include "drbg_local.h"
  22. static OSSL_FUNC_rand_newctx_fn drbg_ctr_new_wrapper;
  23. static OSSL_FUNC_rand_freectx_fn drbg_ctr_free;
  24. static OSSL_FUNC_rand_instantiate_fn drbg_ctr_instantiate_wrapper;
  25. static OSSL_FUNC_rand_uninstantiate_fn drbg_ctr_uninstantiate_wrapper;
  26. static OSSL_FUNC_rand_generate_fn drbg_ctr_generate_wrapper;
  27. static OSSL_FUNC_rand_reseed_fn drbg_ctr_reseed_wrapper;
  28. static OSSL_FUNC_rand_settable_ctx_params_fn drbg_ctr_settable_ctx_params;
  29. static OSSL_FUNC_rand_set_ctx_params_fn drbg_ctr_set_ctx_params;
  30. static OSSL_FUNC_rand_gettable_ctx_params_fn drbg_ctr_gettable_ctx_params;
  31. static OSSL_FUNC_rand_get_ctx_params_fn drbg_ctr_get_ctx_params;
  32. static OSSL_FUNC_rand_verify_zeroization_fn drbg_ctr_verify_zeroization;
  33. /*
  34. * The state of a DRBG AES-CTR.
  35. */
  36. typedef struct rand_drbg_ctr_st {
  37. EVP_CIPHER_CTX *ctx_ecb;
  38. EVP_CIPHER_CTX *ctx_ctr;
  39. EVP_CIPHER_CTX *ctx_df;
  40. EVP_CIPHER *cipher_ecb;
  41. EVP_CIPHER *cipher_ctr;
  42. size_t keylen;
  43. int use_df;
  44. unsigned char K[32];
  45. unsigned char V[16];
  46. /* Temporary block storage used by ctr_df */
  47. unsigned char bltmp[16];
  48. size_t bltmp_pos;
  49. unsigned char KX[48];
  50. } PROV_DRBG_CTR;
  51. /*
  52. * Implementation of NIST SP 800-90A CTR DRBG.
  53. */
  54. static void inc_128(PROV_DRBG_CTR *ctr)
  55. {
  56. unsigned char *p = &ctr->V[0];
  57. u32 n = 16, c = 1;
  58. do {
  59. --n;
  60. c += p[n];
  61. p[n] = (u8)c;
  62. c >>= 8;
  63. } while (n);
  64. }
  65. static void ctr_XOR(PROV_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
  66. {
  67. size_t i, n;
  68. if (in == NULL || inlen == 0)
  69. return;
  70. /*
  71. * Any zero padding will have no effect on the result as we
  72. * are XORing. So just process however much input we have.
  73. */
  74. n = inlen < ctr->keylen ? inlen : ctr->keylen;
  75. for (i = 0; i < n; i++)
  76. ctr->K[i] ^= in[i];
  77. if (inlen <= ctr->keylen)
  78. return;
  79. n = inlen - ctr->keylen;
  80. if (n > 16) {
  81. /* Should never happen */
  82. n = 16;
  83. }
  84. for (i = 0; i < n; i++)
  85. ctr->V[i] ^= in[i + ctr->keylen];
  86. }
  87. /*
  88. * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
  89. */
  90. __owur static int ctr_BCC_block(PROV_DRBG_CTR *ctr, unsigned char *out,
  91. const unsigned char *in, int len)
  92. {
  93. int i, outlen = AES_BLOCK_SIZE;
  94. for (i = 0; i < len; i++)
  95. out[i] ^= in[i];
  96. if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, len)
  97. || outlen != len)
  98. return 0;
  99. return 1;
  100. }
  101. /*
  102. * Handle several BCC operations for as much data as we need for K and X
  103. */
  104. __owur static int ctr_BCC_blocks(PROV_DRBG_CTR *ctr, const unsigned char *in)
  105. {
  106. unsigned char in_tmp[48];
  107. unsigned char num_of_blk = 2;
  108. memcpy(in_tmp, in, 16);
  109. memcpy(in_tmp + 16, in, 16);
  110. if (ctr->keylen != 16) {
  111. memcpy(in_tmp + 32, in, 16);
  112. num_of_blk = 3;
  113. }
  114. return ctr_BCC_block(ctr, ctr->KX, in_tmp, AES_BLOCK_SIZE * num_of_blk);
  115. }
  116. /*
  117. * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
  118. * see 10.3.1 stage 7.
  119. */
  120. __owur static int ctr_BCC_init(PROV_DRBG_CTR *ctr)
  121. {
  122. unsigned char bltmp[48] = {0};
  123. unsigned char num_of_blk;
  124. memset(ctr->KX, 0, 48);
  125. num_of_blk = ctr->keylen == 16 ? 2 : 3;
  126. bltmp[(AES_BLOCK_SIZE * 1) + 3] = 1;
  127. bltmp[(AES_BLOCK_SIZE * 2) + 3] = 2;
  128. return ctr_BCC_block(ctr, ctr->KX, bltmp, num_of_blk * AES_BLOCK_SIZE);
  129. }
  130. /*
  131. * Process several blocks into BCC algorithm, some possibly partial
  132. */
  133. __owur static int ctr_BCC_update(PROV_DRBG_CTR *ctr,
  134. const unsigned char *in, size_t inlen)
  135. {
  136. if (in == NULL || inlen == 0)
  137. return 1;
  138. /* If we have partial block handle it first */
  139. if (ctr->bltmp_pos) {
  140. size_t left = 16 - ctr->bltmp_pos;
  141. /* If we now have a complete block process it */
  142. if (inlen >= left) {
  143. memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
  144. if (!ctr_BCC_blocks(ctr, ctr->bltmp))
  145. return 0;
  146. ctr->bltmp_pos = 0;
  147. inlen -= left;
  148. in += left;
  149. }
  150. }
  151. /* Process zero or more complete blocks */
  152. for (; inlen >= 16; in += 16, inlen -= 16) {
  153. if (!ctr_BCC_blocks(ctr, in))
  154. return 0;
  155. }
  156. /* Copy any remaining partial block to the temporary buffer */
  157. if (inlen > 0) {
  158. memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
  159. ctr->bltmp_pos += inlen;
  160. }
  161. return 1;
  162. }
  163. __owur static int ctr_BCC_final(PROV_DRBG_CTR *ctr)
  164. {
  165. if (ctr->bltmp_pos) {
  166. memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
  167. if (!ctr_BCC_blocks(ctr, ctr->bltmp))
  168. return 0;
  169. }
  170. return 1;
  171. }
  172. __owur static int ctr_df(PROV_DRBG_CTR *ctr,
  173. const unsigned char *in1, size_t in1len,
  174. const unsigned char *in2, size_t in2len,
  175. const unsigned char *in3, size_t in3len)
  176. {
  177. static unsigned char c80 = 0x80;
  178. size_t inlen;
  179. unsigned char *p = ctr->bltmp;
  180. int outlen = AES_BLOCK_SIZE;
  181. if (!ctr_BCC_init(ctr))
  182. return 0;
  183. if (in1 == NULL)
  184. in1len = 0;
  185. if (in2 == NULL)
  186. in2len = 0;
  187. if (in3 == NULL)
  188. in3len = 0;
  189. inlen = in1len + in2len + in3len;
  190. /* Initialise L||N in temporary block */
  191. *p++ = (inlen >> 24) & 0xff;
  192. *p++ = (inlen >> 16) & 0xff;
  193. *p++ = (inlen >> 8) & 0xff;
  194. *p++ = inlen & 0xff;
  195. /* NB keylen is at most 32 bytes */
  196. *p++ = 0;
  197. *p++ = 0;
  198. *p++ = 0;
  199. *p = (unsigned char)((ctr->keylen + 16) & 0xff);
  200. ctr->bltmp_pos = 8;
  201. if (!ctr_BCC_update(ctr, in1, in1len)
  202. || !ctr_BCC_update(ctr, in2, in2len)
  203. || !ctr_BCC_update(ctr, in3, in3len)
  204. || !ctr_BCC_update(ctr, &c80, 1)
  205. || !ctr_BCC_final(ctr))
  206. return 0;
  207. /* Set up key K */
  208. if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->KX, NULL, -1))
  209. return 0;
  210. /* X follows key K */
  211. if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX, &outlen, ctr->KX + ctr->keylen,
  212. AES_BLOCK_SIZE)
  213. || outlen != AES_BLOCK_SIZE)
  214. return 0;
  215. if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 16, &outlen, ctr->KX,
  216. AES_BLOCK_SIZE)
  217. || outlen != AES_BLOCK_SIZE)
  218. return 0;
  219. if (ctr->keylen != 16)
  220. if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 32, &outlen,
  221. ctr->KX + 16, AES_BLOCK_SIZE)
  222. || outlen != AES_BLOCK_SIZE)
  223. return 0;
  224. return 1;
  225. }
  226. /*
  227. * NB the no-df Update in SP800-90A specifies a constant input length
  228. * of seedlen, however other uses of this algorithm pad the input with
  229. * zeroes if necessary and have up to two parameters XORed together,
  230. * so we handle both cases in this function instead.
  231. */
  232. __owur static int ctr_update(PROV_DRBG *drbg,
  233. const unsigned char *in1, size_t in1len,
  234. const unsigned char *in2, size_t in2len,
  235. const unsigned char *nonce, size_t noncelen)
  236. {
  237. PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
  238. int outlen = AES_BLOCK_SIZE;
  239. unsigned char V_tmp[48], out[48];
  240. unsigned char len;
  241. /* correct key is already set up. */
  242. memcpy(V_tmp, ctr->V, 16);
  243. inc_128(ctr);
  244. memcpy(V_tmp + 16, ctr->V, 16);
  245. if (ctr->keylen == 16) {
  246. len = 32;
  247. } else {
  248. inc_128(ctr);
  249. memcpy(V_tmp + 32, ctr->V, 16);
  250. len = 48;
  251. }
  252. if (!EVP_CipherUpdate(ctr->ctx_ecb, out, &outlen, V_tmp, len)
  253. || outlen != len)
  254. return 0;
  255. memcpy(ctr->K, out, ctr->keylen);
  256. memcpy(ctr->V, out + ctr->keylen, 16);
  257. if (ctr->use_df) {
  258. /* If no input reuse existing derived value */
  259. if (in1 != NULL || nonce != NULL || in2 != NULL)
  260. if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
  261. return 0;
  262. /* If this a reuse input in1len != 0 */
  263. if (in1len)
  264. ctr_XOR(ctr, ctr->KX, drbg->seedlen);
  265. } else {
  266. ctr_XOR(ctr, in1, in1len);
  267. ctr_XOR(ctr, in2, in2len);
  268. }
  269. if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1)
  270. || !EVP_CipherInit_ex(ctr->ctx_ctr, NULL, NULL, ctr->K, NULL, -1))
  271. return 0;
  272. return 1;
  273. }
  274. static int drbg_ctr_instantiate(PROV_DRBG *drbg,
  275. const unsigned char *entropy, size_t entropylen,
  276. const unsigned char *nonce, size_t noncelen,
  277. const unsigned char *pers, size_t perslen)
  278. {
  279. PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
  280. if (entropy == NULL)
  281. return 0;
  282. memset(ctr->K, 0, sizeof(ctr->K));
  283. memset(ctr->V, 0, sizeof(ctr->V));
  284. if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1))
  285. return 0;
  286. inc_128(ctr);
  287. if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
  288. return 0;
  289. return 1;
  290. }
  291. static int drbg_ctr_instantiate_wrapper(void *vdrbg, unsigned int strength,
  292. int prediction_resistance,
  293. const unsigned char *pstr,
  294. size_t pstr_len,
  295. const OSSL_PARAM params[])
  296. {
  297. PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
  298. if (!ossl_prov_is_running() || !drbg_ctr_set_ctx_params(drbg, params))
  299. return 0;
  300. return ossl_prov_drbg_instantiate(drbg, strength, prediction_resistance,
  301. pstr, pstr_len);
  302. }
  303. static int drbg_ctr_reseed(PROV_DRBG *drbg,
  304. const unsigned char *entropy, size_t entropylen,
  305. const unsigned char *adin, size_t adinlen)
  306. {
  307. PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
  308. if (entropy == NULL)
  309. return 0;
  310. inc_128(ctr);
  311. if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
  312. return 0;
  313. return 1;
  314. }
  315. static int drbg_ctr_reseed_wrapper(void *vdrbg, int prediction_resistance,
  316. const unsigned char *ent, size_t ent_len,
  317. const unsigned char *adin, size_t adin_len)
  318. {
  319. PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
  320. return ossl_prov_drbg_reseed(drbg, prediction_resistance, ent, ent_len,
  321. adin, adin_len);
  322. }
  323. static void ctr96_inc(unsigned char *counter)
  324. {
  325. u32 n = 12, c = 1;
  326. do {
  327. --n;
  328. c += counter[n];
  329. counter[n] = (u8)c;
  330. c >>= 8;
  331. } while (n);
  332. }
  333. static int drbg_ctr_generate(PROV_DRBG *drbg,
  334. unsigned char *out, size_t outlen,
  335. const unsigned char *adin, size_t adinlen)
  336. {
  337. PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
  338. unsigned int ctr32, blocks;
  339. int outl, buflen;
  340. if (adin != NULL && adinlen != 0) {
  341. inc_128(ctr);
  342. if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
  343. return 0;
  344. /* This means we reuse derived value */
  345. if (ctr->use_df) {
  346. adin = NULL;
  347. adinlen = 1;
  348. }
  349. } else {
  350. adinlen = 0;
  351. }
  352. inc_128(ctr);
  353. if (outlen == 0) {
  354. inc_128(ctr);
  355. if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
  356. return 0;
  357. return 1;
  358. }
  359. memset(out, 0, outlen);
  360. do {
  361. if (!EVP_CipherInit_ex(ctr->ctx_ctr,
  362. NULL, NULL, NULL, ctr->V, -1))
  363. return 0;
  364. /*-
  365. * outlen has type size_t while EVP_CipherUpdate takes an
  366. * int argument and thus cannot be guaranteed to process more
  367. * than 2^31-1 bytes at a time. We process such huge generate
  368. * requests in 2^30 byte chunks, which is the greatest multiple
  369. * of AES block size lower than or equal to 2^31-1.
  370. */
  371. buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
  372. blocks = (buflen + 15) / 16;
  373. ctr32 = GETU32(ctr->V + 12) + blocks;
  374. if (ctr32 < blocks) {
  375. /* 32-bit counter overflow into V. */
  376. if (ctr32 != 0) {
  377. blocks -= ctr32;
  378. buflen = blocks * 16;
  379. ctr32 = 0;
  380. }
  381. ctr96_inc(ctr->V);
  382. }
  383. PUTU32(ctr->V + 12, ctr32);
  384. if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
  385. || outl != buflen)
  386. return 0;
  387. out += buflen;
  388. outlen -= buflen;
  389. } while (outlen);
  390. if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
  391. return 0;
  392. return 1;
  393. }
  394. static int drbg_ctr_generate_wrapper
  395. (void *vdrbg, unsigned char *out, size_t outlen,
  396. unsigned int strength, int prediction_resistance,
  397. const unsigned char *adin, size_t adin_len)
  398. {
  399. PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
  400. return ossl_prov_drbg_generate(drbg, out, outlen, strength,
  401. prediction_resistance, adin, adin_len);
  402. }
  403. static int drbg_ctr_uninstantiate(PROV_DRBG *drbg)
  404. {
  405. PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
  406. OPENSSL_cleanse(ctr->K, sizeof(ctr->K));
  407. OPENSSL_cleanse(ctr->V, sizeof(ctr->V));
  408. OPENSSL_cleanse(ctr->bltmp, sizeof(ctr->bltmp));
  409. OPENSSL_cleanse(ctr->KX, sizeof(ctr->KX));
  410. ctr->bltmp_pos = 0;
  411. return ossl_prov_drbg_uninstantiate(drbg);
  412. }
  413. static int drbg_ctr_uninstantiate_wrapper(void *vdrbg)
  414. {
  415. return drbg_ctr_uninstantiate((PROV_DRBG *)vdrbg);
  416. }
  417. static int drbg_ctr_verify_zeroization(void *vdrbg)
  418. {
  419. PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
  420. PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
  421. PROV_DRBG_VERYIFY_ZEROIZATION(ctr->K);
  422. PROV_DRBG_VERYIFY_ZEROIZATION(ctr->V);
  423. PROV_DRBG_VERYIFY_ZEROIZATION(ctr->bltmp);
  424. PROV_DRBG_VERYIFY_ZEROIZATION(ctr->KX);
  425. if (ctr->bltmp_pos != 0)
  426. return 0;
  427. return 1;
  428. }
  429. static int drbg_ctr_init_lengths(PROV_DRBG *drbg)
  430. {
  431. PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
  432. int res = 1;
  433. /* Maximum number of bits per request = 2^19 = 2^16 bytes */
  434. drbg->max_request = 1 << 16;
  435. if (ctr->use_df) {
  436. drbg->min_entropylen = 0;
  437. drbg->max_entropylen = DRBG_MAX_LENGTH;
  438. drbg->min_noncelen = 0;
  439. drbg->max_noncelen = DRBG_MAX_LENGTH;
  440. drbg->max_perslen = DRBG_MAX_LENGTH;
  441. drbg->max_adinlen = DRBG_MAX_LENGTH;
  442. if (ctr->keylen > 0) {
  443. drbg->min_entropylen = ctr->keylen;
  444. drbg->min_noncelen = drbg->min_entropylen / 2;
  445. }
  446. } else {
  447. const size_t len = ctr->keylen > 0 ? drbg->seedlen : DRBG_MAX_LENGTH;
  448. drbg->min_entropylen = len;
  449. drbg->max_entropylen = len;
  450. /* Nonce not used */
  451. drbg->min_noncelen = 0;
  452. drbg->max_noncelen = 0;
  453. drbg->max_perslen = len;
  454. drbg->max_adinlen = len;
  455. }
  456. return res;
  457. }
  458. static int drbg_ctr_init(PROV_DRBG *drbg)
  459. {
  460. PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
  461. size_t keylen;
  462. if (ctr->cipher_ctr == NULL) {
  463. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CIPHER);
  464. return 0;
  465. }
  466. ctr->keylen = keylen = EVP_CIPHER_get_key_length(ctr->cipher_ctr);
  467. if (ctr->ctx_ecb == NULL)
  468. ctr->ctx_ecb = EVP_CIPHER_CTX_new();
  469. if (ctr->ctx_ctr == NULL)
  470. ctr->ctx_ctr = EVP_CIPHER_CTX_new();
  471. if (ctr->ctx_ecb == NULL || ctr->ctx_ctr == NULL) {
  472. ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
  473. goto err;
  474. }
  475. if (!EVP_CipherInit_ex(ctr->ctx_ecb,
  476. ctr->cipher_ecb, NULL, NULL, NULL, 1)
  477. || !EVP_CipherInit_ex(ctr->ctx_ctr,
  478. ctr->cipher_ctr, NULL, NULL, NULL, 1)) {
  479. ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_INITIALISE_CIPHERS);
  480. goto err;
  481. }
  482. drbg->strength = keylen * 8;
  483. drbg->seedlen = keylen + 16;
  484. if (ctr->use_df) {
  485. /* df initialisation */
  486. static const unsigned char df_key[32] = {
  487. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  488. 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
  489. 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
  490. 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
  491. };
  492. if (ctr->ctx_df == NULL)
  493. ctr->ctx_df = EVP_CIPHER_CTX_new();
  494. if (ctr->ctx_df == NULL) {
  495. ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
  496. goto err;
  497. }
  498. /* Set key schedule for df_key */
  499. if (!EVP_CipherInit_ex(ctr->ctx_df,
  500. ctr->cipher_ecb, NULL, df_key, NULL, 1)) {
  501. ERR_raise(ERR_LIB_PROV, PROV_R_DERIVATION_FUNCTION_INIT_FAILED);
  502. goto err;
  503. }
  504. }
  505. return drbg_ctr_init_lengths(drbg);
  506. err:
  507. EVP_CIPHER_CTX_free(ctr->ctx_ecb);
  508. EVP_CIPHER_CTX_free(ctr->ctx_ctr);
  509. ctr->ctx_ecb = ctr->ctx_ctr = NULL;
  510. return 0;
  511. }
  512. static int drbg_ctr_new(PROV_DRBG *drbg)
  513. {
  514. PROV_DRBG_CTR *ctr;
  515. ctr = OPENSSL_secure_zalloc(sizeof(*ctr));
  516. if (ctr == NULL) {
  517. ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
  518. return 0;
  519. }
  520. ctr->use_df = 1;
  521. drbg->data = ctr;
  522. return drbg_ctr_init_lengths(drbg);
  523. }
  524. static void *drbg_ctr_new_wrapper(void *provctx, void *parent,
  525. const OSSL_DISPATCH *parent_dispatch)
  526. {
  527. return ossl_rand_drbg_new(provctx, parent, parent_dispatch,
  528. &drbg_ctr_new, &drbg_ctr_free,
  529. &drbg_ctr_instantiate, &drbg_ctr_uninstantiate,
  530. &drbg_ctr_reseed, &drbg_ctr_generate);
  531. }
  532. static void drbg_ctr_free(void *vdrbg)
  533. {
  534. PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
  535. PROV_DRBG_CTR *ctr;
  536. if (drbg != NULL && (ctr = (PROV_DRBG_CTR *)drbg->data) != NULL) {
  537. EVP_CIPHER_CTX_free(ctr->ctx_ecb);
  538. EVP_CIPHER_CTX_free(ctr->ctx_ctr);
  539. EVP_CIPHER_CTX_free(ctr->ctx_df);
  540. EVP_CIPHER_free(ctr->cipher_ecb);
  541. EVP_CIPHER_free(ctr->cipher_ctr);
  542. OPENSSL_secure_clear_free(ctr, sizeof(*ctr));
  543. }
  544. ossl_rand_drbg_free(drbg);
  545. }
  546. static int drbg_ctr_get_ctx_params(void *vdrbg, OSSL_PARAM params[])
  547. {
  548. PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
  549. PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
  550. OSSL_PARAM *p;
  551. p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_USE_DF);
  552. if (p != NULL && !OSSL_PARAM_set_int(p, ctr->use_df))
  553. return 0;
  554. p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_CIPHER);
  555. if (p != NULL) {
  556. if (ctr->cipher_ctr == NULL
  557. || !OSSL_PARAM_set_utf8_string(p,
  558. EVP_CIPHER_get0_name(ctr->cipher_ctr)))
  559. return 0;
  560. }
  561. return ossl_drbg_get_ctx_params(drbg, params);
  562. }
  563. static const OSSL_PARAM *drbg_ctr_gettable_ctx_params(ossl_unused void *vctx,
  564. ossl_unused void *provctx)
  565. {
  566. static const OSSL_PARAM known_gettable_ctx_params[] = {
  567. OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0),
  568. OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL),
  569. OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON,
  570. OSSL_PARAM_END
  571. };
  572. return known_gettable_ctx_params;
  573. }
  574. static int drbg_ctr_set_ctx_params(void *vctx, const OSSL_PARAM params[])
  575. {
  576. PROV_DRBG *ctx = (PROV_DRBG *)vctx;
  577. PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)ctx->data;
  578. OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
  579. const OSSL_PARAM *p;
  580. char *ecb;
  581. const char *propquery = NULL;
  582. int i, cipher_init = 0;
  583. if ((p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_USE_DF)) != NULL
  584. && OSSL_PARAM_get_int(p, &i)) {
  585. /* FIPS errors out in the drbg_ctr_init() call later */
  586. ctr->use_df = i != 0;
  587. cipher_init = 1;
  588. }
  589. if ((p = OSSL_PARAM_locate_const(params,
  590. OSSL_DRBG_PARAM_PROPERTIES)) != NULL) {
  591. if (p->data_type != OSSL_PARAM_UTF8_STRING)
  592. return 0;
  593. propquery = (const char *)p->data;
  594. }
  595. if ((p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_CIPHER)) != NULL) {
  596. const char *base = (const char *)p->data;
  597. size_t ctr_str_len = sizeof("CTR") - 1;
  598. size_t ecb_str_len = sizeof("ECB") - 1;
  599. if (p->data_type != OSSL_PARAM_UTF8_STRING
  600. || p->data_size < ctr_str_len)
  601. return 0;
  602. if (OPENSSL_strcasecmp("CTR", base + p->data_size - ctr_str_len) != 0) {
  603. ERR_raise(ERR_LIB_PROV, PROV_R_REQUIRE_CTR_MODE_CIPHER);
  604. return 0;
  605. }
  606. if ((ecb = OPENSSL_strndup(base, p->data_size)) == NULL) {
  607. ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
  608. return 0;
  609. }
  610. strcpy(ecb + p->data_size - ecb_str_len, "ECB");
  611. EVP_CIPHER_free(ctr->cipher_ecb);
  612. EVP_CIPHER_free(ctr->cipher_ctr);
  613. ctr->cipher_ctr = EVP_CIPHER_fetch(libctx, base, propquery);
  614. ctr->cipher_ecb = EVP_CIPHER_fetch(libctx, ecb, propquery);
  615. OPENSSL_free(ecb);
  616. if (ctr->cipher_ctr == NULL || ctr->cipher_ecb == NULL) {
  617. ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_FIND_CIPHERS);
  618. return 0;
  619. }
  620. cipher_init = 1;
  621. }
  622. if (cipher_init && !drbg_ctr_init(ctx))
  623. return 0;
  624. return ossl_drbg_set_ctx_params(ctx, params);
  625. }
  626. static const OSSL_PARAM *drbg_ctr_settable_ctx_params(ossl_unused void *vctx,
  627. ossl_unused void *provctx)
  628. {
  629. static const OSSL_PARAM known_settable_ctx_params[] = {
  630. OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0),
  631. OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0),
  632. OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL),
  633. OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON,
  634. OSSL_PARAM_END
  635. };
  636. return known_settable_ctx_params;
  637. }
  638. const OSSL_DISPATCH ossl_drbg_ctr_functions[] = {
  639. { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))drbg_ctr_new_wrapper },
  640. { OSSL_FUNC_RAND_FREECTX, (void(*)(void))drbg_ctr_free },
  641. { OSSL_FUNC_RAND_INSTANTIATE,
  642. (void(*)(void))drbg_ctr_instantiate_wrapper },
  643. { OSSL_FUNC_RAND_UNINSTANTIATE,
  644. (void(*)(void))drbg_ctr_uninstantiate_wrapper },
  645. { OSSL_FUNC_RAND_GENERATE, (void(*)(void))drbg_ctr_generate_wrapper },
  646. { OSSL_FUNC_RAND_RESEED, (void(*)(void))drbg_ctr_reseed_wrapper },
  647. { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))ossl_drbg_enable_locking },
  648. { OSSL_FUNC_RAND_LOCK, (void(*)(void))ossl_drbg_lock },
  649. { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))ossl_drbg_unlock },
  650. { OSSL_FUNC_RAND_SETTABLE_CTX_PARAMS,
  651. (void(*)(void))drbg_ctr_settable_ctx_params },
  652. { OSSL_FUNC_RAND_SET_CTX_PARAMS, (void(*)(void))drbg_ctr_set_ctx_params },
  653. { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
  654. (void(*)(void))drbg_ctr_gettable_ctx_params },
  655. { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))drbg_ctr_get_ctx_params },
  656. { OSSL_FUNC_RAND_VERIFY_ZEROIZATION,
  657. (void(*)(void))drbg_ctr_verify_zeroization },
  658. { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))ossl_drbg_get_seed },
  659. { OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))ossl_drbg_clear_seed },
  660. { 0, NULL }
  661. };