1 /*
2 * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdlib.h>
11 #include <string.h>
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include "modes_local.h"
16 #include "internal/thread_once.h"
17 #include "rand_local.h"
18
19 /*
20 * Implementation of NIST SP 800-90A CTR DRBG.
21 */
22
inc_128(RAND_DRBG_CTR * ctr)23 static void inc_128(RAND_DRBG_CTR *ctr)
24 {
25 unsigned char *p = &ctr->V[0];
26 u32 n = 16, c = 1;
27
28 do {
29 --n;
30 c += p[n];
31 p[n] = (u8)c;
32 c >>= 8;
33 } while (n);
34 }
35
ctr_XOR(RAND_DRBG_CTR * ctr,const unsigned char * in,size_t inlen)36 static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
37 {
38 size_t i, n;
39
40 if (in == NULL || inlen == 0)
41 return;
42
43 /*
44 * Any zero padding will have no effect on the result as we
45 * are XORing. So just process however much input we have.
46 */
47 n = inlen < ctr->keylen ? inlen : ctr->keylen;
48 for (i = 0; i < n; i++)
49 ctr->K[i] ^= in[i];
50 if (inlen <= ctr->keylen)
51 return;
52
53 n = inlen - ctr->keylen;
54 if (n > 16) {
55 /* Should never happen */
56 n = 16;
57 }
58 for (i = 0; i < n; i++)
59 ctr->V[i] ^= in[i + ctr->keylen];
60 }
61
62 /*
63 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
64 */
ctr_BCC_block(RAND_DRBG_CTR * ctr,unsigned char * out,const unsigned char * in,int len)65 __owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
66 const unsigned char *in, int len)
67 {
68 int i, outlen = AES_BLOCK_SIZE;
69
70 for (i = 0; i < len; i++)
71 out[i] ^= in[i];
72
73 if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, len)
74 || outlen != len)
75 return 0;
76 return 1;
77 }
78
79
80 /*
81 * Handle several BCC operations for as much data as we need for K and X
82 */
ctr_BCC_blocks(RAND_DRBG_CTR * ctr,const unsigned char * in)83 __owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
84 {
85 unsigned char in_tmp[48];
86 unsigned char num_of_blk = 2;
87
88 memcpy(in_tmp, in, 16);
89 memcpy(in_tmp + 16, in, 16);
90 if (ctr->keylen != 16) {
91 memcpy(in_tmp + 32, in, 16);
92 num_of_blk = 3;
93 }
94 return ctr_BCC_block(ctr, ctr->KX, in_tmp, AES_BLOCK_SIZE * num_of_blk);
95 }
96
97 /*
98 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
99 * see 10.3.1 stage 7.
100 */
ctr_BCC_init(RAND_DRBG_CTR * ctr)101 __owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
102 {
103 unsigned char bltmp[48] = {0};
104 unsigned char num_of_blk;
105
106 memset(ctr->KX, 0, 48);
107 num_of_blk = ctr->keylen == 16 ? 2 : 3;
108 bltmp[(AES_BLOCK_SIZE * 1) + 3] = 1;
109 bltmp[(AES_BLOCK_SIZE * 2) + 3] = 2;
110 return ctr_BCC_block(ctr, ctr->KX, bltmp, num_of_blk * AES_BLOCK_SIZE);
111 }
112
113 /*
114 * Process several blocks into BCC algorithm, some possibly partial
115 */
ctr_BCC_update(RAND_DRBG_CTR * ctr,const unsigned char * in,size_t inlen)116 __owur static int ctr_BCC_update(RAND_DRBG_CTR *ctr,
117 const unsigned char *in, size_t inlen)
118 {
119 if (in == NULL || inlen == 0)
120 return 1;
121
122 /* If we have partial block handle it first */
123 if (ctr->bltmp_pos) {
124 size_t left = 16 - ctr->bltmp_pos;
125
126 /* If we now have a complete block process it */
127 if (inlen >= left) {
128 memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
129 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
130 return 0;
131 ctr->bltmp_pos = 0;
132 inlen -= left;
133 in += left;
134 }
135 }
136
137 /* Process zero or more complete blocks */
138 for (; inlen >= 16; in += 16, inlen -= 16) {
139 if (!ctr_BCC_blocks(ctr, in))
140 return 0;
141 }
142
143 /* Copy any remaining partial block to the temporary buffer */
144 if (inlen > 0) {
145 memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
146 ctr->bltmp_pos += inlen;
147 }
148 return 1;
149 }
150
ctr_BCC_final(RAND_DRBG_CTR * ctr)151 __owur static int ctr_BCC_final(RAND_DRBG_CTR *ctr)
152 {
153 if (ctr->bltmp_pos) {
154 memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
155 if (!ctr_BCC_blocks(ctr, ctr->bltmp))
156 return 0;
157 }
158 return 1;
159 }
160
ctr_df(RAND_DRBG_CTR * ctr,const unsigned char * in1,size_t in1len,const unsigned char * in2,size_t in2len,const unsigned char * in3,size_t in3len)161 __owur static int ctr_df(RAND_DRBG_CTR *ctr,
162 const unsigned char *in1, size_t in1len,
163 const unsigned char *in2, size_t in2len,
164 const unsigned char *in3, size_t in3len)
165 {
166 static unsigned char c80 = 0x80;
167 size_t inlen;
168 unsigned char *p = ctr->bltmp;
169 int outlen = AES_BLOCK_SIZE;
170
171 if (!ctr_BCC_init(ctr))
172 return 0;
173 if (in1 == NULL)
174 in1len = 0;
175 if (in2 == NULL)
176 in2len = 0;
177 if (in3 == NULL)
178 in3len = 0;
179 inlen = in1len + in2len + in3len;
180 /* Initialise L||N in temporary block */
181 *p++ = (inlen >> 24) & 0xff;
182 *p++ = (inlen >> 16) & 0xff;
183 *p++ = (inlen >> 8) & 0xff;
184 *p++ = inlen & 0xff;
185
186 /* NB keylen is at most 32 bytes */
187 *p++ = 0;
188 *p++ = 0;
189 *p++ = 0;
190 *p = (unsigned char)((ctr->keylen + 16) & 0xff);
191 ctr->bltmp_pos = 8;
192 if (!ctr_BCC_update(ctr, in1, in1len)
193 || !ctr_BCC_update(ctr, in2, in2len)
194 || !ctr_BCC_update(ctr, in3, in3len)
195 || !ctr_BCC_update(ctr, &c80, 1)
196 || !ctr_BCC_final(ctr))
197 return 0;
198 /* Set up key K */
199 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->KX, NULL, -1))
200 return 0;
201 /* X follows key K */
202 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX, &outlen, ctr->KX + ctr->keylen,
203 AES_BLOCK_SIZE)
204 || outlen != AES_BLOCK_SIZE)
205 return 0;
206 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 16, &outlen, ctr->KX,
207 AES_BLOCK_SIZE)
208 || outlen != AES_BLOCK_SIZE)
209 return 0;
210 if (ctr->keylen != 16)
211 if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 32, &outlen,
212 ctr->KX + 16, AES_BLOCK_SIZE)
213 || outlen != AES_BLOCK_SIZE)
214 return 0;
215 return 1;
216 }
217
218 /*
219 * NB the no-df Update in SP800-90A specifies a constant input length
220 * of seedlen, however other uses of this algorithm pad the input with
221 * zeroes if necessary and have up to two parameters XORed together,
222 * so we handle both cases in this function instead.
223 */
ctr_update(RAND_DRBG * drbg,const unsigned char * in1,size_t in1len,const unsigned char * in2,size_t in2len,const unsigned char * nonce,size_t noncelen)224 __owur static int ctr_update(RAND_DRBG *drbg,
225 const unsigned char *in1, size_t in1len,
226 const unsigned char *in2, size_t in2len,
227 const unsigned char *nonce, size_t noncelen)
228 {
229 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
230 int outlen = AES_BLOCK_SIZE;
231 unsigned char V_tmp[48], out[48];
232 unsigned char len;
233
234 /* correct key is already set up. */
235 memcpy(V_tmp, ctr->V, 16);
236 inc_128(ctr);
237 memcpy(V_tmp + 16, ctr->V, 16);
238 if (ctr->keylen == 16) {
239 len = 32;
240 } else {
241 inc_128(ctr);
242 memcpy(V_tmp + 32, ctr->V, 16);
243 len = 48;
244 }
245 if (!EVP_CipherUpdate(ctr->ctx_ecb, out, &outlen, V_tmp, len)
246 || outlen != len)
247 return 0;
248 memcpy(ctr->K, out, ctr->keylen);
249 memcpy(ctr->V, out + ctr->keylen, 16);
250
251 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
252 /* If no input reuse existing derived value */
253 if (in1 != NULL || nonce != NULL || in2 != NULL)
254 if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
255 return 0;
256 /* If this a reuse input in1len != 0 */
257 if (in1len)
258 ctr_XOR(ctr, ctr->KX, drbg->seedlen);
259 } else {
260 ctr_XOR(ctr, in1, in1len);
261 ctr_XOR(ctr, in2, in2len);
262 }
263
264 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1)
265 || !EVP_CipherInit_ex(ctr->ctx_ctr, NULL, NULL, ctr->K, NULL, -1))
266 return 0;
267 return 1;
268 }
269
drbg_ctr_instantiate(RAND_DRBG * drbg,const unsigned char * entropy,size_t entropylen,const unsigned char * nonce,size_t noncelen,const unsigned char * pers,size_t perslen)270 __owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
271 const unsigned char *entropy, size_t entropylen,
272 const unsigned char *nonce, size_t noncelen,
273 const unsigned char *pers, size_t perslen)
274 {
275 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
276
277 if (entropy == NULL)
278 return 0;
279
280 memset(ctr->K, 0, sizeof(ctr->K));
281 memset(ctr->V, 0, sizeof(ctr->V));
282 if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1))
283 return 0;
284
285 inc_128(ctr);
286 if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
287 return 0;
288 return 1;
289 }
290
drbg_ctr_reseed(RAND_DRBG * drbg,const unsigned char * entropy,size_t entropylen,const unsigned char * adin,size_t adinlen)291 __owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
292 const unsigned char *entropy, size_t entropylen,
293 const unsigned char *adin, size_t adinlen)
294 {
295 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
296
297 if (entropy == NULL)
298 return 0;
299
300 inc_128(ctr);
301 if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
302 return 0;
303 return 1;
304 }
305
ctr96_inc(unsigned char * counter)306 static void ctr96_inc(unsigned char *counter)
307 {
308 u32 n = 12, c = 1;
309
310 do {
311 --n;
312 c += counter[n];
313 counter[n] = (u8)c;
314 c >>= 8;
315 } while (n);
316 }
317
drbg_ctr_generate(RAND_DRBG * drbg,unsigned char * out,size_t outlen,const unsigned char * adin,size_t adinlen)318 __owur static int drbg_ctr_generate(RAND_DRBG *drbg,
319 unsigned char *out, size_t outlen,
320 const unsigned char *adin, size_t adinlen)
321 {
322 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
323 unsigned int ctr32, blocks;
324 int outl, buflen;
325
326 if (adin != NULL && adinlen != 0) {
327 inc_128(ctr);
328
329 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
330 return 0;
331 /* This means we reuse derived value */
332 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
333 adin = NULL;
334 adinlen = 1;
335 }
336 } else {
337 adinlen = 0;
338 }
339
340 inc_128(ctr);
341
342 if (outlen == 0) {
343 inc_128(ctr);
344
345 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
346 return 0;
347 return 1;
348 }
349
350 memset(out, 0, outlen);
351
352 do {
353 if (!EVP_CipherInit_ex(ctr->ctx_ctr,
354 NULL, NULL, NULL, ctr->V, -1))
355 return 0;
356
357 /*-
358 * outlen has type size_t while EVP_CipherUpdate takes an
359 * int argument and thus cannot be guaranteed to process more
360 * than 2^31-1 bytes at a time. We process such huge generate
361 * requests in 2^30 byte chunks, which is the greatest multiple
362 * of AES block size lower than or equal to 2^31-1.
363 */
364 buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
365 blocks = (buflen + 15) / 16;
366
367 ctr32 = GETU32(ctr->V + 12) + blocks;
368 if (ctr32 < blocks) {
369 /* 32-bit counter overflow into V. */
370 if (ctr32 != 0) {
371 blocks -= ctr32;
372 buflen = blocks * 16;
373 ctr32 = 0;
374 }
375 ctr96_inc(ctr->V);
376 }
377 PUTU32(ctr->V + 12, ctr32);
378
379 if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
380 || outl != buflen)
381 return 0;
382
383 out += buflen;
384 outlen -= buflen;
385 } while (outlen);
386
387 if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
388 return 0;
389 return 1;
390 }
391
drbg_ctr_uninstantiate(RAND_DRBG * drbg)392 static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
393 {
394 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ecb);
395 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ctr);
396 EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
397 OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
398 return 1;
399 }
400
401 static RAND_DRBG_METHOD drbg_ctr_meth = {
402 drbg_ctr_instantiate,
403 drbg_ctr_reseed,
404 drbg_ctr_generate,
405 drbg_ctr_uninstantiate
406 };
407
drbg_ctr_init(RAND_DRBG * drbg)408 int drbg_ctr_init(RAND_DRBG *drbg)
409 {
410 RAND_DRBG_CTR *ctr = &drbg->data.ctr;
411 size_t keylen;
412
413 switch (drbg->type) {
414 default:
415 /* This can't happen, but silence the compiler warning. */
416 return 0;
417 case NID_aes_128_ctr:
418 keylen = 16;
419 ctr->cipher_ecb = EVP_aes_128_ecb();
420 ctr->cipher_ctr = EVP_aes_128_ctr();
421 break;
422 case NID_aes_192_ctr:
423 keylen = 24;
424 ctr->cipher_ecb = EVP_aes_192_ecb();
425 ctr->cipher_ctr = EVP_aes_192_ctr();
426 break;
427 case NID_aes_256_ctr:
428 keylen = 32;
429 ctr->cipher_ecb = EVP_aes_256_ecb();
430 ctr->cipher_ctr = EVP_aes_256_ctr();
431 break;
432 }
433
434 drbg->meth = &drbg_ctr_meth;
435
436 ctr->keylen = keylen;
437 if (ctr->ctx_ecb == NULL)
438 ctr->ctx_ecb = EVP_CIPHER_CTX_new();
439 if (ctr->ctx_ctr == NULL)
440 ctr->ctx_ctr = EVP_CIPHER_CTX_new();
441 if (ctr->ctx_ecb == NULL || ctr->ctx_ctr == NULL
442 || !EVP_CipherInit_ex(ctr->ctx_ecb,
443 ctr->cipher_ecb, NULL, NULL, NULL, 1)
444 || !EVP_CipherInit_ex(ctr->ctx_ctr,
445 ctr->cipher_ctr, NULL, NULL, NULL, 1))
446 return 0;
447
448 drbg->meth = &drbg_ctr_meth;
449 drbg->strength = keylen * 8;
450 drbg->seedlen = keylen + 16;
451
452 if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
453 /* df initialisation */
454 static const unsigned char df_key[32] = {
455 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
456 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
457 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
458 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
459 };
460
461 if (ctr->ctx_df == NULL)
462 ctr->ctx_df = EVP_CIPHER_CTX_new();
463 if (ctr->ctx_df == NULL)
464 return 0;
465 /* Set key schedule for df_key */
466 if (!EVP_CipherInit_ex(ctr->ctx_df,
467 ctr->cipher_ecb, NULL, df_key, NULL, 1))
468 return 0;
469
470 drbg->min_entropylen = ctr->keylen;
471 drbg->max_entropylen = DRBG_MAX_LENGTH;
472 drbg->min_noncelen = drbg->min_entropylen / 2;
473 drbg->max_noncelen = DRBG_MAX_LENGTH;
474 drbg->max_perslen = DRBG_MAX_LENGTH;
475 drbg->max_adinlen = DRBG_MAX_LENGTH;
476 } else {
477 drbg->min_entropylen = drbg->seedlen;
478 drbg->max_entropylen = drbg->seedlen;
479 /* Nonce not used */
480 drbg->min_noncelen = 0;
481 drbg->max_noncelen = 0;
482 drbg->max_perslen = drbg->seedlen;
483 drbg->max_adinlen = drbg->seedlen;
484 }
485
486 drbg->max_request = 1 << 16;
487
488 return 1;
489 }
490