• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <stdlib.h>
11 #include <string.h>
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include "modes_local.h"
16 #include "internal/thread_once.h"
17 #include "rand_local.h"
18 
19 /*
20  * Implementation of NIST SP 800-90A CTR DRBG.
21  */
22 
inc_128(RAND_DRBG_CTR * ctr)23 static void inc_128(RAND_DRBG_CTR *ctr)
24 {
25     unsigned char *p = &ctr->V[0];
26     u32 n = 16, c = 1;
27 
28     do {
29         --n;
30         c += p[n];
31         p[n] = (u8)c;
32         c >>= 8;
33     } while (n);
34 }
35 
ctr_XOR(RAND_DRBG_CTR * ctr,const unsigned char * in,size_t inlen)36 static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
37 {
38     size_t i, n;
39 
40     if (in == NULL || inlen == 0)
41         return;
42 
43     /*
44      * Any zero padding will have no effect on the result as we
45      * are XORing. So just process however much input we have.
46      */
47     n = inlen < ctr->keylen ? inlen : ctr->keylen;
48     for (i = 0; i < n; i++)
49         ctr->K[i] ^= in[i];
50     if (inlen <= ctr->keylen)
51         return;
52 
53     n = inlen - ctr->keylen;
54     if (n > 16) {
55         /* Should never happen */
56         n = 16;
57     }
58     for (i = 0; i < n; i++)
59         ctr->V[i] ^= in[i + ctr->keylen];
60 }
61 
62 /*
63  * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
64  */
ctr_BCC_block(RAND_DRBG_CTR * ctr,unsigned char * out,const unsigned char * in,int len)65 __owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
66                                 const unsigned char *in, int len)
67 {
68     int i, outlen = AES_BLOCK_SIZE;
69 
70     for (i = 0; i < len; i++)
71         out[i] ^= in[i];
72 
73     if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, len)
74         || outlen != len)
75         return 0;
76     return 1;
77 }
78 
79 
80 /*
81  * Handle several BCC operations for as much data as we need for K and X
82  */
ctr_BCC_blocks(RAND_DRBG_CTR * ctr,const unsigned char * in)83 __owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
84 {
85     unsigned char in_tmp[48];
86     unsigned char num_of_blk = 2;
87 
88     memcpy(in_tmp, in, 16);
89     memcpy(in_tmp + 16, in, 16);
90     if (ctr->keylen != 16) {
91         memcpy(in_tmp + 32, in, 16);
92         num_of_blk = 3;
93     }
94     return ctr_BCC_block(ctr, ctr->KX, in_tmp, AES_BLOCK_SIZE * num_of_blk);
95 }
96 
97 /*
98  * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
99  * see 10.3.1 stage 7.
100  */
ctr_BCC_init(RAND_DRBG_CTR * ctr)101 __owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
102 {
103     unsigned char bltmp[48] = {0};
104     unsigned char num_of_blk;
105 
106     memset(ctr->KX, 0, 48);
107     num_of_blk = ctr->keylen == 16 ? 2 : 3;
108     bltmp[(AES_BLOCK_SIZE * 1) + 3] = 1;
109     bltmp[(AES_BLOCK_SIZE * 2) + 3] = 2;
110     return ctr_BCC_block(ctr, ctr->KX, bltmp, num_of_blk * AES_BLOCK_SIZE);
111 }
112 
113 /*
114  * Process several blocks into BCC algorithm, some possibly partial
115  */
ctr_BCC_update(RAND_DRBG_CTR * ctr,const unsigned char * in,size_t inlen)116 __owur static int ctr_BCC_update(RAND_DRBG_CTR *ctr,
117                                  const unsigned char *in, size_t inlen)
118 {
119     if (in == NULL || inlen == 0)
120         return 1;
121 
122     /* If we have partial block handle it first */
123     if (ctr->bltmp_pos) {
124         size_t left = 16 - ctr->bltmp_pos;
125 
126         /* If we now have a complete block process it */
127         if (inlen >= left) {
128             memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
129             if (!ctr_BCC_blocks(ctr, ctr->bltmp))
130                 return 0;
131             ctr->bltmp_pos = 0;
132             inlen -= left;
133             in += left;
134         }
135     }
136 
137     /* Process zero or more complete blocks */
138     for (; inlen >= 16; in += 16, inlen -= 16) {
139         if (!ctr_BCC_blocks(ctr, in))
140             return 0;
141     }
142 
143     /* Copy any remaining partial block to the temporary buffer */
144     if (inlen > 0) {
145         memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
146         ctr->bltmp_pos += inlen;
147     }
148     return 1;
149 }
150 
ctr_BCC_final(RAND_DRBG_CTR * ctr)151 __owur static int ctr_BCC_final(RAND_DRBG_CTR *ctr)
152 {
153     if (ctr->bltmp_pos) {
154         memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
155         if (!ctr_BCC_blocks(ctr, ctr->bltmp))
156             return 0;
157     }
158     return 1;
159 }
160 
ctr_df(RAND_DRBG_CTR * ctr,const unsigned char * in1,size_t in1len,const unsigned char * in2,size_t in2len,const unsigned char * in3,size_t in3len)161 __owur static int ctr_df(RAND_DRBG_CTR *ctr,
162                          const unsigned char *in1, size_t in1len,
163                          const unsigned char *in2, size_t in2len,
164                          const unsigned char *in3, size_t in3len)
165 {
166     static unsigned char c80 = 0x80;
167     size_t inlen;
168     unsigned char *p = ctr->bltmp;
169     int outlen = AES_BLOCK_SIZE;
170 
171     if (!ctr_BCC_init(ctr))
172         return 0;
173     if (in1 == NULL)
174         in1len = 0;
175     if (in2 == NULL)
176         in2len = 0;
177     if (in3 == NULL)
178         in3len = 0;
179     inlen = in1len + in2len + in3len;
180     /* Initialise L||N in temporary block */
181     *p++ = (inlen >> 24) & 0xff;
182     *p++ = (inlen >> 16) & 0xff;
183     *p++ = (inlen >> 8) & 0xff;
184     *p++ = inlen & 0xff;
185 
186     /* NB keylen is at most 32 bytes */
187     *p++ = 0;
188     *p++ = 0;
189     *p++ = 0;
190     *p = (unsigned char)((ctr->keylen + 16) & 0xff);
191     ctr->bltmp_pos = 8;
192     if (!ctr_BCC_update(ctr, in1, in1len)
193         || !ctr_BCC_update(ctr, in2, in2len)
194         || !ctr_BCC_update(ctr, in3, in3len)
195         || !ctr_BCC_update(ctr, &c80, 1)
196         || !ctr_BCC_final(ctr))
197         return 0;
198     /* Set up key K */
199     if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->KX, NULL, -1))
200         return 0;
201     /* X follows key K */
202     if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX, &outlen, ctr->KX + ctr->keylen,
203                           AES_BLOCK_SIZE)
204         || outlen != AES_BLOCK_SIZE)
205         return 0;
206     if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 16, &outlen, ctr->KX,
207                           AES_BLOCK_SIZE)
208         || outlen != AES_BLOCK_SIZE)
209         return 0;
210     if (ctr->keylen != 16)
211         if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 32, &outlen,
212                               ctr->KX + 16, AES_BLOCK_SIZE)
213             || outlen != AES_BLOCK_SIZE)
214             return 0;
215     return 1;
216 }
217 
218 /*
219  * NB the no-df Update in SP800-90A specifies a constant input length
220  * of seedlen, however other uses of this algorithm pad the input with
221  * zeroes if necessary and have up to two parameters XORed together,
222  * so we handle both cases in this function instead.
223  */
ctr_update(RAND_DRBG * drbg,const unsigned char * in1,size_t in1len,const unsigned char * in2,size_t in2len,const unsigned char * nonce,size_t noncelen)224 __owur static int ctr_update(RAND_DRBG *drbg,
225                              const unsigned char *in1, size_t in1len,
226                              const unsigned char *in2, size_t in2len,
227                              const unsigned char *nonce, size_t noncelen)
228 {
229     RAND_DRBG_CTR *ctr = &drbg->data.ctr;
230     int outlen = AES_BLOCK_SIZE;
231     unsigned char V_tmp[48], out[48];
232     unsigned char len;
233 
234     /* correct key is already set up. */
235     memcpy(V_tmp, ctr->V, 16);
236     inc_128(ctr);
237     memcpy(V_tmp + 16, ctr->V, 16);
238     if (ctr->keylen == 16) {
239         len = 32;
240     } else {
241         inc_128(ctr);
242         memcpy(V_tmp + 32, ctr->V, 16);
243         len = 48;
244     }
245     if (!EVP_CipherUpdate(ctr->ctx_ecb, out, &outlen, V_tmp, len)
246             || outlen != len)
247         return 0;
248     memcpy(ctr->K, out, ctr->keylen);
249     memcpy(ctr->V, out + ctr->keylen, 16);
250 
251     if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
252         /* If no input reuse existing derived value */
253         if (in1 != NULL || nonce != NULL || in2 != NULL)
254             if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
255                 return 0;
256         /* If this a reuse input in1len != 0 */
257         if (in1len)
258             ctr_XOR(ctr, ctr->KX, drbg->seedlen);
259     } else {
260         ctr_XOR(ctr, in1, in1len);
261         ctr_XOR(ctr, in2, in2len);
262     }
263 
264     if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1)
265         || !EVP_CipherInit_ex(ctr->ctx_ctr, NULL, NULL, ctr->K, NULL, -1))
266         return 0;
267     return 1;
268 }
269 
drbg_ctr_instantiate(RAND_DRBG * drbg,const unsigned char * entropy,size_t entropylen,const unsigned char * nonce,size_t noncelen,const unsigned char * pers,size_t perslen)270 __owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
271                                        const unsigned char *entropy, size_t entropylen,
272                                        const unsigned char *nonce, size_t noncelen,
273                                        const unsigned char *pers, size_t perslen)
274 {
275     RAND_DRBG_CTR *ctr = &drbg->data.ctr;
276 
277     if (entropy == NULL)
278         return 0;
279 
280     memset(ctr->K, 0, sizeof(ctr->K));
281     memset(ctr->V, 0, sizeof(ctr->V));
282     if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1))
283         return 0;
284 
285     inc_128(ctr);
286     if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
287         return 0;
288     return 1;
289 }
290 
drbg_ctr_reseed(RAND_DRBG * drbg,const unsigned char * entropy,size_t entropylen,const unsigned char * adin,size_t adinlen)291 __owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
292                                   const unsigned char *entropy, size_t entropylen,
293                                   const unsigned char *adin, size_t adinlen)
294 {
295     RAND_DRBG_CTR *ctr = &drbg->data.ctr;
296 
297     if (entropy == NULL)
298         return 0;
299 
300     inc_128(ctr);
301     if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
302         return 0;
303     return 1;
304 }
305 
ctr96_inc(unsigned char * counter)306 static void ctr96_inc(unsigned char *counter)
307 {
308     u32 n = 12, c = 1;
309 
310     do {
311         --n;
312         c += counter[n];
313         counter[n] = (u8)c;
314         c >>= 8;
315     } while (n);
316 }
317 
drbg_ctr_generate(RAND_DRBG * drbg,unsigned char * out,size_t outlen,const unsigned char * adin,size_t adinlen)318 __owur static int drbg_ctr_generate(RAND_DRBG *drbg,
319                                     unsigned char *out, size_t outlen,
320                                     const unsigned char *adin, size_t adinlen)
321 {
322     RAND_DRBG_CTR *ctr = &drbg->data.ctr;
323     unsigned int ctr32, blocks;
324     int outl, buflen;
325 
326     if (adin != NULL && adinlen != 0) {
327         inc_128(ctr);
328 
329         if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
330             return 0;
331         /* This means we reuse derived value */
332         if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
333             adin = NULL;
334             adinlen = 1;
335         }
336     } else {
337         adinlen = 0;
338     }
339 
340     inc_128(ctr);
341 
342     if (outlen == 0) {
343         inc_128(ctr);
344 
345         if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
346             return 0;
347         return 1;
348     }
349 
350     memset(out, 0, outlen);
351 
352     do {
353         if (!EVP_CipherInit_ex(ctr->ctx_ctr,
354                                NULL, NULL, NULL, ctr->V, -1))
355             return 0;
356 
357         /*-
358          * outlen has type size_t while EVP_CipherUpdate takes an
359          * int argument and thus cannot be guaranteed to process more
360          * than 2^31-1 bytes at a time. We process such huge generate
361          * requests in 2^30 byte chunks, which is the greatest multiple
362          * of AES block size lower than or equal to 2^31-1.
363          */
364         buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
365         blocks = (buflen + 15) / 16;
366 
367         ctr32 = GETU32(ctr->V + 12) + blocks;
368         if (ctr32 < blocks) {
369             /* 32-bit counter overflow into V. */
370             if (ctr32 != 0) {
371                 blocks -= ctr32;
372                 buflen = blocks * 16;
373                 ctr32 = 0;
374             }
375             ctr96_inc(ctr->V);
376         }
377         PUTU32(ctr->V + 12, ctr32);
378 
379         if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
380             || outl != buflen)
381             return 0;
382 
383         out += buflen;
384         outlen -= buflen;
385     } while (outlen);
386 
387     if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
388         return 0;
389     return 1;
390 }
391 
drbg_ctr_uninstantiate(RAND_DRBG * drbg)392 static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
393 {
394     EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ecb);
395     EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ctr);
396     EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
397     OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
398     return 1;
399 }
400 
401 static RAND_DRBG_METHOD drbg_ctr_meth = {
402     drbg_ctr_instantiate,
403     drbg_ctr_reseed,
404     drbg_ctr_generate,
405     drbg_ctr_uninstantiate
406 };
407 
drbg_ctr_init(RAND_DRBG * drbg)408 int drbg_ctr_init(RAND_DRBG *drbg)
409 {
410     RAND_DRBG_CTR *ctr = &drbg->data.ctr;
411     size_t keylen;
412 
413     switch (drbg->type) {
414     default:
415         /* This can't happen, but silence the compiler warning. */
416         return 0;
417     case NID_aes_128_ctr:
418         keylen = 16;
419         ctr->cipher_ecb = EVP_aes_128_ecb();
420         ctr->cipher_ctr = EVP_aes_128_ctr();
421         break;
422     case NID_aes_192_ctr:
423         keylen = 24;
424         ctr->cipher_ecb = EVP_aes_192_ecb();
425         ctr->cipher_ctr = EVP_aes_192_ctr();
426         break;
427     case NID_aes_256_ctr:
428         keylen = 32;
429         ctr->cipher_ecb = EVP_aes_256_ecb();
430         ctr->cipher_ctr = EVP_aes_256_ctr();
431         break;
432     }
433 
434     drbg->meth = &drbg_ctr_meth;
435 
436     ctr->keylen = keylen;
437     if (ctr->ctx_ecb == NULL)
438         ctr->ctx_ecb = EVP_CIPHER_CTX_new();
439     if (ctr->ctx_ctr == NULL)
440         ctr->ctx_ctr = EVP_CIPHER_CTX_new();
441     if (ctr->ctx_ecb == NULL || ctr->ctx_ctr == NULL
442         || !EVP_CipherInit_ex(ctr->ctx_ecb,
443                               ctr->cipher_ecb, NULL, NULL, NULL, 1)
444         || !EVP_CipherInit_ex(ctr->ctx_ctr,
445                               ctr->cipher_ctr, NULL, NULL, NULL, 1))
446         return 0;
447 
448     drbg->meth = &drbg_ctr_meth;
449     drbg->strength = keylen * 8;
450     drbg->seedlen = keylen + 16;
451 
452     if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
453         /* df initialisation */
454         static const unsigned char df_key[32] = {
455             0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
456             0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
457             0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
458             0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
459         };
460 
461         if (ctr->ctx_df == NULL)
462             ctr->ctx_df = EVP_CIPHER_CTX_new();
463         if (ctr->ctx_df == NULL)
464             return 0;
465         /* Set key schedule for df_key */
466         if (!EVP_CipherInit_ex(ctr->ctx_df,
467                                ctr->cipher_ecb, NULL, df_key, NULL, 1))
468             return 0;
469 
470         drbg->min_entropylen = ctr->keylen;
471         drbg->max_entropylen = DRBG_MAX_LENGTH;
472         drbg->min_noncelen = drbg->min_entropylen / 2;
473         drbg->max_noncelen = DRBG_MAX_LENGTH;
474         drbg->max_perslen = DRBG_MAX_LENGTH;
475         drbg->max_adinlen = DRBG_MAX_LENGTH;
476     } else {
477         drbg->min_entropylen = drbg->seedlen;
478         drbg->max_entropylen = drbg->seedlen;
479         /* Nonce not used */
480         drbg->min_noncelen = 0;
481         drbg->max_noncelen = 0;
482         drbg->max_perslen = drbg->seedlen;
483         drbg->max_adinlen = drbg->seedlen;
484     }
485 
486     drbg->max_request = 1 << 16;
487 
488     return 1;
489 }
490