2017-06-27 16:04:37 +00:00
|
|
|
/*
|
2018-01-09 04:49:01 +00:00
|
|
|
* Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
|
2017-06-27 16:04:37 +00:00
|
|
|
*
|
2018-12-06 12:52:15 +00:00
|
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
2017-06-27 16:04:37 +00:00
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
|
* https://www.openssl.org/source/license.html
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <openssl/crypto.h>
|
|
|
|
|
#include <openssl/err.h>
|
|
|
|
|
#include <openssl/rand.h>
|
|
|
|
|
#include "internal/thread_once.h"
|
2018-03-05 22:45:44 +00:00
|
|
|
#include "rand_lcl.h"
|
2018-07-24 01:16:38 +00:00
|
|
|
|
2017-06-27 16:04:37 +00:00
|
|
|
/*
|
2017-08-03 13:23:28 +00:00
|
|
|
* Implementation of NIST SP 800-90A CTR DRBG.
|
2017-06-27 16:04:37 +00:00
|
|
|
*/
|
2017-08-03 13:23:28 +00:00
|
|
|
static void inc_128(RAND_DRBG_CTR *ctr)
|
2017-06-27 16:04:37 +00:00
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
unsigned char c;
|
2017-08-03 13:23:28 +00:00
|
|
|
unsigned char *p = &ctr->V[15];
|
2017-06-27 16:04:37 +00:00
|
|
|
|
|
|
|
|
for (i = 0; i < 16; i++, p--) {
|
|
|
|
|
c = *p;
|
|
|
|
|
c++;
|
|
|
|
|
*p = c;
|
|
|
|
|
if (c != 0) {
|
|
|
|
|
/* If we didn't wrap around, we're done. */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-03 13:23:28 +00:00
|
|
|
static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
|
2017-06-27 16:04:37 +00:00
|
|
|
{
|
|
|
|
|
size_t i, n;
|
|
|
|
|
|
|
|
|
|
if (in == NULL || inlen == 0)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Any zero padding will have no effect on the result as we
|
|
|
|
|
* are XORing. So just process however much input we have.
|
|
|
|
|
*/
|
2017-08-03 13:23:28 +00:00
|
|
|
n = inlen < ctr->keylen ? inlen : ctr->keylen;
|
2017-06-27 16:04:37 +00:00
|
|
|
for (i = 0; i < n; i++)
|
2017-08-03 13:23:28 +00:00
|
|
|
ctr->K[i] ^= in[i];
|
|
|
|
|
if (inlen <= ctr->keylen)
|
2017-06-27 16:04:37 +00:00
|
|
|
return;
|
|
|
|
|
|
2017-08-03 13:23:28 +00:00
|
|
|
n = inlen - ctr->keylen;
|
2017-06-27 16:04:37 +00:00
|
|
|
if (n > 16) {
|
|
|
|
|
/* Should never happen */
|
|
|
|
|
n = 16;
|
|
|
|
|
}
|
2017-07-19 22:59:52 +00:00
|
|
|
for (i = 0; i < n; i++)
|
2017-08-03 13:23:28 +00:00
|
|
|
ctr->V[i] ^= in[i + ctr->keylen];
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Process a complete block using BCC algorithm of SP 800-90A 10.3.3
|
|
|
|
|
*/
|
2018-03-10 11:23:21 +00:00
|
|
|
__owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
|
|
|
|
|
const unsigned char *in)
|
2017-06-27 16:04:37 +00:00
|
|
|
{
|
2018-03-10 11:23:21 +00:00
|
|
|
int i, outlen = AES_BLOCK_SIZE;
|
2017-06-27 16:04:37 +00:00
|
|
|
|
|
|
|
|
for (i = 0; i < 16; i++)
|
|
|
|
|
out[i] ^= in[i];
|
2018-03-10 11:23:21 +00:00
|
|
|
|
|
|
|
|
if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, AES_BLOCK_SIZE)
|
|
|
|
|
|| outlen != AES_BLOCK_SIZE)
|
|
|
|
|
return 0;
|
|
|
|
|
return 1;
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Handle several BCC operations for as much data as we need for K and X
|
|
|
|
|
*/
|
2018-03-10 11:23:21 +00:00
|
|
|
__owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
|
2017-06-27 16:04:37 +00:00
|
|
|
{
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!ctr_BCC_block(ctr, ctr->KX, in)
|
|
|
|
|
|| !ctr_BCC_block(ctr, ctr->KX + 16, in))
|
|
|
|
|
return 0;
|
|
|
|
|
if (ctr->keylen != 16 && !ctr_BCC_block(ctr, ctr->KX + 32, in))
|
|
|
|
|
return 0;
|
|
|
|
|
return 1;
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
|
|
|
|
|
* see 10.3.1 stage 7.
|
|
|
|
|
*/
|
2018-03-10 11:23:21 +00:00
|
|
|
__owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
|
2017-06-27 16:04:37 +00:00
|
|
|
{
|
2017-08-03 13:23:28 +00:00
|
|
|
memset(ctr->KX, 0, 48);
|
|
|
|
|
memset(ctr->bltmp, 0, 16);
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!ctr_BCC_block(ctr, ctr->KX, ctr->bltmp))
|
|
|
|
|
return 0;
|
2017-08-03 13:23:28 +00:00
|
|
|
ctr->bltmp[3] = 1;
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!ctr_BCC_block(ctr, ctr->KX + 16, ctr->bltmp))
|
|
|
|
|
return 0;
|
2017-08-03 13:23:28 +00:00
|
|
|
if (ctr->keylen != 16) {
|
|
|
|
|
ctr->bltmp[3] = 2;
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!ctr_BCC_block(ctr, ctr->KX + 32, ctr->bltmp))
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
2018-03-10 11:23:21 +00:00
|
|
|
return 1;
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Process several blocks into BCC algorithm, some possibly partial
|
|
|
|
|
*/
|
2018-03-10 11:23:21 +00:00
|
|
|
__owur static int ctr_BCC_update(RAND_DRBG_CTR *ctr,
|
|
|
|
|
const unsigned char *in, size_t inlen)
|
2017-06-27 16:04:37 +00:00
|
|
|
{
|
|
|
|
|
if (in == NULL || inlen == 0)
|
2018-03-10 11:23:21 +00:00
|
|
|
return 1;
|
2017-06-27 16:04:37 +00:00
|
|
|
|
|
|
|
|
/* If we have partial block handle it first */
|
2017-08-03 13:23:28 +00:00
|
|
|
if (ctr->bltmp_pos) {
|
|
|
|
|
size_t left = 16 - ctr->bltmp_pos;
|
2017-06-27 16:04:37 +00:00
|
|
|
|
|
|
|
|
/* If we now have a complete block process it */
|
|
|
|
|
if (inlen >= left) {
|
2017-08-03 13:23:28 +00:00
|
|
|
memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!ctr_BCC_blocks(ctr, ctr->bltmp))
|
|
|
|
|
return 0;
|
2017-08-03 13:23:28 +00:00
|
|
|
ctr->bltmp_pos = 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
inlen -= left;
|
|
|
|
|
in += left;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Process zero or more complete blocks */
|
|
|
|
|
for (; inlen >= 16; in += 16, inlen -= 16) {
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!ctr_BCC_blocks(ctr, in))
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Copy any remaining partial block to the temporary buffer */
|
|
|
|
|
if (inlen > 0) {
|
2017-08-03 13:23:28 +00:00
|
|
|
memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
|
|
|
|
|
ctr->bltmp_pos += inlen;
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
2018-03-10 11:23:21 +00:00
|
|
|
return 1;
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
|
|
|
|
|
2018-03-10 11:23:21 +00:00
|
|
|
__owur static int ctr_BCC_final(RAND_DRBG_CTR *ctr)
|
2017-06-27 16:04:37 +00:00
|
|
|
{
|
2017-08-03 13:23:28 +00:00
|
|
|
if (ctr->bltmp_pos) {
|
|
|
|
|
memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!ctr_BCC_blocks(ctr, ctr->bltmp))
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
2018-03-10 11:23:21 +00:00
|
|
|
return 1;
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
|
|
|
|
|
2018-03-10 11:23:21 +00:00
|
|
|
__owur static int ctr_df(RAND_DRBG_CTR *ctr,
|
|
|
|
|
const unsigned char *in1, size_t in1len,
|
|
|
|
|
const unsigned char *in2, size_t in2len,
|
|
|
|
|
const unsigned char *in3, size_t in3len)
|
2017-06-27 16:04:37 +00:00
|
|
|
{
|
|
|
|
|
static unsigned char c80 = 0x80;
|
|
|
|
|
size_t inlen;
|
2017-08-03 13:23:28 +00:00
|
|
|
unsigned char *p = ctr->bltmp;
|
2018-03-10 11:23:21 +00:00
|
|
|
int outlen = AES_BLOCK_SIZE;
|
2017-06-27 16:04:37 +00:00
|
|
|
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!ctr_BCC_init(ctr))
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
if (in1 == NULL)
|
|
|
|
|
in1len = 0;
|
|
|
|
|
if (in2 == NULL)
|
|
|
|
|
in2len = 0;
|
|
|
|
|
if (in3 == NULL)
|
|
|
|
|
in3len = 0;
|
|
|
|
|
inlen = in1len + in2len + in3len;
|
|
|
|
|
/* Initialise L||N in temporary block */
|
|
|
|
|
*p++ = (inlen >> 24) & 0xff;
|
|
|
|
|
*p++ = (inlen >> 16) & 0xff;
|
|
|
|
|
*p++ = (inlen >> 8) & 0xff;
|
|
|
|
|
*p++ = inlen & 0xff;
|
|
|
|
|
|
|
|
|
|
/* NB keylen is at most 32 bytes */
|
|
|
|
|
*p++ = 0;
|
|
|
|
|
*p++ = 0;
|
|
|
|
|
*p++ = 0;
|
2017-08-03 13:23:28 +00:00
|
|
|
*p = (unsigned char)((ctr->keylen + 16) & 0xff);
|
|
|
|
|
ctr->bltmp_pos = 8;
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!ctr_BCC_update(ctr, in1, in1len)
|
|
|
|
|
|| !ctr_BCC_update(ctr, in2, in2len)
|
|
|
|
|
|| !ctr_BCC_update(ctr, in3, in3len)
|
|
|
|
|
|| !ctr_BCC_update(ctr, &c80, 1)
|
|
|
|
|
|| !ctr_BCC_final(ctr))
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
/* Set up key K */
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->KX, NULL, 1))
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
/* X follows key K */
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!EVP_CipherUpdate(ctr->ctx, ctr->KX, &outlen, ctr->KX + ctr->keylen,
|
|
|
|
|
AES_BLOCK_SIZE)
|
|
|
|
|
|| outlen != AES_BLOCK_SIZE)
|
|
|
|
|
return 0;
|
|
|
|
|
if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 16, &outlen, ctr->KX,
|
|
|
|
|
AES_BLOCK_SIZE)
|
|
|
|
|
|| outlen != AES_BLOCK_SIZE)
|
|
|
|
|
return 0;
|
2017-08-03 13:23:28 +00:00
|
|
|
if (ctr->keylen != 16)
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 32, &outlen, ctr->KX + 16,
|
|
|
|
|
AES_BLOCK_SIZE)
|
|
|
|
|
|| outlen != AES_BLOCK_SIZE)
|
|
|
|
|
return 0;
|
|
|
|
|
return 1;
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* NB the no-df Update in SP800-90A specifies a constant input length
|
|
|
|
|
* of seedlen, however other uses of this algorithm pad the input with
|
|
|
|
|
* zeroes if necessary and have up to two parameters XORed together,
|
2017-08-03 13:23:28 +00:00
|
|
|
* so we handle both cases in this function instead.
|
2017-06-27 16:04:37 +00:00
|
|
|
*/
|
2018-03-10 11:23:21 +00:00
|
|
|
__owur static int ctr_update(RAND_DRBG *drbg,
|
|
|
|
|
const unsigned char *in1, size_t in1len,
|
|
|
|
|
const unsigned char *in2, size_t in2len,
|
|
|
|
|
const unsigned char *nonce, size_t noncelen)
|
2017-06-27 16:04:37 +00:00
|
|
|
{
|
2017-12-28 20:42:14 +00:00
|
|
|
RAND_DRBG_CTR *ctr = &drbg->data.ctr;
|
2018-03-10 11:23:21 +00:00
|
|
|
int outlen = AES_BLOCK_SIZE;
|
2017-06-27 16:04:37 +00:00
|
|
|
|
2018-03-10 11:23:21 +00:00
|
|
|
/* correct key is already set up. */
|
2017-08-03 13:23:28 +00:00
|
|
|
inc_128(ctr);
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outlen, ctr->V, AES_BLOCK_SIZE)
|
|
|
|
|
|| outlen != AES_BLOCK_SIZE)
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
|
|
|
|
|
/* If keylen longer than 128 bits need extra encrypt */
|
2017-08-03 13:23:28 +00:00
|
|
|
if (ctr->keylen != 16) {
|
|
|
|
|
inc_128(ctr);
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!EVP_CipherUpdate(ctr->ctx, ctr->K+16, &outlen, ctr->V,
|
|
|
|
|
AES_BLOCK_SIZE)
|
|
|
|
|
|| outlen != AES_BLOCK_SIZE)
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
2017-08-03 13:23:28 +00:00
|
|
|
inc_128(ctr);
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!EVP_CipherUpdate(ctr->ctx, ctr->V, &outlen, ctr->V, AES_BLOCK_SIZE)
|
|
|
|
|
|| outlen != AES_BLOCK_SIZE)
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
|
|
|
|
|
/* If 192 bit key part of V is on end of K */
|
2017-08-03 13:23:28 +00:00
|
|
|
if (ctr->keylen == 24) {
|
|
|
|
|
memcpy(ctr->V + 8, ctr->V, 8);
|
|
|
|
|
memcpy(ctr->V, ctr->K + 24, 8);
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
|
|
|
|
|
2018-02-08 22:04:16 +00:00
|
|
|
if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
|
2017-06-27 16:04:37 +00:00
|
|
|
/* If no input reuse existing derived value */
|
|
|
|
|
if (in1 != NULL || nonce != NULL || in2 != NULL)
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
/* If this a reuse input in1len != 0 */
|
|
|
|
|
if (in1len)
|
2017-08-03 13:23:28 +00:00
|
|
|
ctr_XOR(ctr, ctr->KX, drbg->seedlen);
|
2017-06-27 16:04:37 +00:00
|
|
|
} else {
|
2017-08-03 13:23:28 +00:00
|
|
|
ctr_XOR(ctr, in1, in1len);
|
|
|
|
|
ctr_XOR(ctr, in2, in2len);
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
|
|
|
|
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
|
|
|
|
|
return 0;
|
|
|
|
|
return 1;
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
|
|
|
|
|
2018-03-10 11:23:21 +00:00
|
|
|
__owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
|
|
|
|
|
const unsigned char *entropy, size_t entropylen,
|
|
|
|
|
const unsigned char *nonce, size_t noncelen,
|
|
|
|
|
const unsigned char *pers, size_t perslen)
|
2017-06-27 16:04:37 +00:00
|
|
|
{
|
2017-12-28 20:42:14 +00:00
|
|
|
RAND_DRBG_CTR *ctr = &drbg->data.ctr;
|
2017-06-27 16:04:37 +00:00
|
|
|
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-20 21:02:46 +00:00
|
|
|
if (entropy == NULL)
|
2017-08-05 11:04:10 +00:00
|
|
|
return 0;
|
|
|
|
|
|
2017-08-03 13:23:28 +00:00
|
|
|
memset(ctr->K, 0, sizeof(ctr->K));
|
|
|
|
|
memset(ctr->V, 0, sizeof(ctr->V));
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
|
|
|
|
|
return 0;
|
|
|
|
|
if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-10 11:23:21 +00:00
|
|
|
__owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
|
|
|
|
|
const unsigned char *entropy, size_t entropylen,
|
|
|
|
|
const unsigned char *adin, size_t adinlen)
|
2017-06-27 16:04:37 +00:00
|
|
|
{
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-20 21:02:46 +00:00
|
|
|
if (entropy == NULL)
|
2017-08-05 11:04:10 +00:00
|
|
|
return 0;
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-10 11:23:21 +00:00
|
|
|
__owur static int drbg_ctr_generate(RAND_DRBG *drbg,
|
|
|
|
|
unsigned char *out, size_t outlen,
|
|
|
|
|
const unsigned char *adin, size_t adinlen)
|
2017-06-27 16:04:37 +00:00
|
|
|
{
|
2017-12-28 20:42:14 +00:00
|
|
|
RAND_DRBG_CTR *ctr = &drbg->data.ctr;
|
2017-06-27 16:04:37 +00:00
|
|
|
|
|
|
|
|
if (adin != NULL && adinlen != 0) {
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
/* This means we reuse derived value */
|
2018-02-08 22:04:16 +00:00
|
|
|
if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
|
2017-06-27 16:04:37 +00:00
|
|
|
adin = NULL;
|
|
|
|
|
adinlen = 1;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
adinlen = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for ( ; ; ) {
|
2018-03-10 11:23:21 +00:00
|
|
|
int outl = AES_BLOCK_SIZE;
|
|
|
|
|
|
2017-08-03 13:23:28 +00:00
|
|
|
inc_128(ctr);
|
2017-06-27 16:04:37 +00:00
|
|
|
if (outlen < 16) {
|
|
|
|
|
/* Use K as temp space as it will be updated */
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outl, ctr->V,
|
|
|
|
|
AES_BLOCK_SIZE)
|
|
|
|
|
|| outl != AES_BLOCK_SIZE)
|
|
|
|
|
return 0;
|
2017-08-03 13:23:28 +00:00
|
|
|
memcpy(out, ctr->K, outlen);
|
2017-06-27 16:04:37 +00:00
|
|
|
break;
|
|
|
|
|
}
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!EVP_CipherUpdate(ctr->ctx, out, &outl, ctr->V, AES_BLOCK_SIZE)
|
|
|
|
|
|| outl != AES_BLOCK_SIZE)
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
out += 16;
|
|
|
|
|
outlen -= 16;
|
|
|
|
|
if (outlen == 0)
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2017-12-28 20:42:14 +00:00
|
|
|
static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
|
2017-06-27 16:04:37 +00:00
|
|
|
{
|
2018-03-10 11:23:21 +00:00
|
|
|
EVP_CIPHER_CTX_free(drbg->data.ctr.ctx);
|
|
|
|
|
EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
|
2019-05-23 13:35:42 +00:00
|
|
|
EVP_CIPHER_meth_free(drbg->data.ctr.cipher);
|
2017-12-28 20:42:14 +00:00
|
|
|
OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
|
2017-06-27 16:04:37 +00:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2017-12-28 20:42:14 +00:00
|
|
|
static RAND_DRBG_METHOD drbg_ctr_meth = {
|
|
|
|
|
drbg_ctr_instantiate,
|
|
|
|
|
drbg_ctr_reseed,
|
|
|
|
|
drbg_ctr_generate,
|
|
|
|
|
drbg_ctr_uninstantiate
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
int drbg_ctr_init(RAND_DRBG *drbg)
|
2017-06-27 16:04:37 +00:00
|
|
|
{
|
2017-12-28 20:42:14 +00:00
|
|
|
RAND_DRBG_CTR *ctr = &drbg->data.ctr;
|
2017-06-27 16:04:37 +00:00
|
|
|
size_t keylen;
|
2019-05-23 13:35:42 +00:00
|
|
|
EVP_CIPHER *cipher = NULL;
|
2017-06-27 16:04:37 +00:00
|
|
|
|
2018-03-15 18:48:43 +00:00
|
|
|
switch (drbg->type) {
|
2017-06-27 16:04:37 +00:00
|
|
|
default:
|
|
|
|
|
/* This can't happen, but silence the compiler warning. */
|
2017-11-20 22:27:23 +00:00
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
case NID_aes_128_ctr:
|
|
|
|
|
keylen = 16;
|
2019-05-23 13:35:42 +00:00
|
|
|
cipher = EVP_CIPHER_fetch(drbg->libctx, "AES-128-ECB", "");
|
2017-06-27 16:04:37 +00:00
|
|
|
break;
|
|
|
|
|
case NID_aes_192_ctr:
|
|
|
|
|
keylen = 24;
|
2019-05-23 13:35:42 +00:00
|
|
|
cipher = EVP_CIPHER_fetch(drbg->libctx, "AES-192-ECB", "");
|
2017-06-27 16:04:37 +00:00
|
|
|
break;
|
|
|
|
|
case NID_aes_256_ctr:
|
|
|
|
|
keylen = 32;
|
2019-05-23 13:35:42 +00:00
|
|
|
cipher = EVP_CIPHER_fetch(drbg->libctx, "AES-256-ECB", "");
|
2017-06-27 16:04:37 +00:00
|
|
|
break;
|
|
|
|
|
}
|
2019-05-23 13:35:42 +00:00
|
|
|
if (cipher == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
EVP_CIPHER_meth_free(ctr->cipher);
|
|
|
|
|
ctr->cipher = cipher;
|
2017-06-27 16:04:37 +00:00
|
|
|
|
2017-12-28 20:42:14 +00:00
|
|
|
drbg->meth = &drbg_ctr_meth;
|
|
|
|
|
|
2017-08-03 13:23:28 +00:00
|
|
|
ctr->keylen = keylen;
|
2018-03-10 11:23:21 +00:00
|
|
|
if (ctr->ctx == NULL)
|
|
|
|
|
ctr->ctx = EVP_CIPHER_CTX_new();
|
|
|
|
|
if (ctr->ctx == NULL)
|
|
|
|
|
return 0;
|
2017-08-03 13:23:28 +00:00
|
|
|
drbg->strength = keylen * 8;
|
|
|
|
|
drbg->seedlen = keylen + 16;
|
2017-06-27 16:04:37 +00:00
|
|
|
|
2018-02-08 22:04:16 +00:00
|
|
|
if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
|
2017-06-27 16:04:37 +00:00
|
|
|
/* df initialisation */
|
2018-03-10 11:23:21 +00:00
|
|
|
static const unsigned char df_key[32] = {
|
2017-09-15 19:14:34 +00:00
|
|
|
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
|
|
|
|
|
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
|
|
|
|
|
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
|
|
|
|
|
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
|
2017-06-27 16:04:37 +00:00
|
|
|
};
|
2018-03-10 11:23:21 +00:00
|
|
|
|
|
|
|
|
if (ctr->ctx_df == NULL)
|
|
|
|
|
ctr->ctx_df = EVP_CIPHER_CTX_new();
|
|
|
|
|
if (ctr->ctx_df == NULL)
|
|
|
|
|
return 0;
|
2017-06-27 16:04:37 +00:00
|
|
|
/* Set key schedule for df_key */
|
2018-03-10 11:23:21 +00:00
|
|
|
if (!EVP_CipherInit_ex(ctr->ctx_df, ctr->cipher, NULL, df_key, NULL, 1))
|
|
|
|
|
return 0;
|
2017-08-03 13:23:28 +00:00
|
|
|
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-20 21:02:46 +00:00
|
|
|
drbg->min_entropylen = ctr->keylen;
|
2018-10-09 23:53:29 +00:00
|
|
|
drbg->max_entropylen = DRBG_MAX_LENGTH;
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-20 21:02:46 +00:00
|
|
|
drbg->min_noncelen = drbg->min_entropylen / 2;
|
2018-10-09 23:53:29 +00:00
|
|
|
drbg->max_noncelen = DRBG_MAX_LENGTH;
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-20 21:02:46 +00:00
|
|
|
drbg->max_perslen = DRBG_MAX_LENGTH;
|
|
|
|
|
drbg->max_adinlen = DRBG_MAX_LENGTH;
|
2017-06-27 16:04:37 +00:00
|
|
|
} else {
|
2019-04-10 22:52:22 +00:00
|
|
|
#ifdef FIPS_MODE
|
|
|
|
|
RANDerr(RAND_F_DRBG_CTR_INIT,
|
|
|
|
|
RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS);
|
|
|
|
|
return 0;
|
|
|
|
|
#else
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-20 21:02:46 +00:00
|
|
|
drbg->min_entropylen = drbg->seedlen;
|
|
|
|
|
drbg->max_entropylen = drbg->seedlen;
|
2017-06-27 16:04:37 +00:00
|
|
|
/* Nonce not used */
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-20 21:02:46 +00:00
|
|
|
drbg->min_noncelen = 0;
|
|
|
|
|
drbg->max_noncelen = 0;
|
|
|
|
|
drbg->max_perslen = drbg->seedlen;
|
|
|
|
|
drbg->max_adinlen = drbg->seedlen;
|
2019-04-10 22:52:22 +00:00
|
|
|
#endif
|
2017-06-27 16:04:37 +00:00
|
|
|
}
|
|
|
|
|
|
2017-08-03 13:23:28 +00:00
|
|
|
drbg->max_request = 1 << 16;
|
2018-03-09 17:24:23 +00:00
|
|
|
|
2017-06-27 16:04:37 +00:00
|
|
|
return 1;
|
|
|
|
|
}
|
