Coverage Report

Created: 2024-11-21 07:03

/src/openssl/providers/implementations/rands/drbg_ctr.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2011-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
#include <stdlib.h>
11
#include <string.h>
12
#include <openssl/crypto.h>
13
#include <openssl/err.h>
14
#include <openssl/rand.h>
15
#include <openssl/aes.h>
16
#include <openssl/proverr.h>
17
#include "crypto/modes.h"
18
#include "internal/thread_once.h"
19
#include "prov/implementations.h"
20
#include "prov/providercommon.h"
21
#include "prov/provider_ctx.h"
22
#include "drbg_local.h"
23
24
static OSSL_FUNC_rand_newctx_fn drbg_ctr_new_wrapper;
25
static OSSL_FUNC_rand_freectx_fn drbg_ctr_free;
26
static OSSL_FUNC_rand_instantiate_fn drbg_ctr_instantiate_wrapper;
27
static OSSL_FUNC_rand_uninstantiate_fn drbg_ctr_uninstantiate_wrapper;
28
static OSSL_FUNC_rand_generate_fn drbg_ctr_generate_wrapper;
29
static OSSL_FUNC_rand_reseed_fn drbg_ctr_reseed_wrapper;
30
static OSSL_FUNC_rand_settable_ctx_params_fn drbg_ctr_settable_ctx_params;
31
static OSSL_FUNC_rand_set_ctx_params_fn drbg_ctr_set_ctx_params;
32
static OSSL_FUNC_rand_gettable_ctx_params_fn drbg_ctr_gettable_ctx_params;
33
static OSSL_FUNC_rand_get_ctx_params_fn drbg_ctr_get_ctx_params;
34
static OSSL_FUNC_rand_verify_zeroization_fn drbg_ctr_verify_zeroization;
35
36
static int drbg_ctr_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[]);
37
38
/*
39
 * The state of a DRBG AES-CTR.
40
 */
41
typedef struct rand_drbg_ctr_st {
42
    EVP_CIPHER_CTX *ctx_ecb;
43
    EVP_CIPHER_CTX *ctx_ctr;
44
    EVP_CIPHER_CTX *ctx_df;
45
    EVP_CIPHER *cipher_ecb;
46
    EVP_CIPHER *cipher_ctr;
47
    size_t keylen;
48
    int use_df;
49
    unsigned char K[32];
50
    unsigned char V[16];
51
    /* Temporary block storage used by ctr_df */
52
    unsigned char bltmp[16];
53
    size_t bltmp_pos;
54
    unsigned char KX[48];
55
} PROV_DRBG_CTR;
56
57
/*
58
 * Implementation of NIST SP 800-90A CTR DRBG.
59
 */
60
static void inc_128(PROV_DRBG_CTR *ctr)
61
377k
{
62
377k
    unsigned char *p = &ctr->V[0];
63
377k
    u32 n = 16, c = 1;
64
65
6.04M
    do {
66
6.04M
        --n;
67
6.04M
        c += p[n];
68
6.04M
        p[n] = (u8)c;
69
6.04M
        c >>= 8;
70
6.04M
    } while (n);
71
377k
}
72
73
static void ctr_XOR(PROV_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
74
20
{
75
20
    size_t i, n;
76
77
20
    if (in == NULL || inlen == 0)
78
0
        return;
79
80
    /*
81
     * Any zero padding will have no effect on the result as we
82
     * are XORing. So just process however much input we have.
83
     */
84
20
    n = inlen < ctr->keylen ? inlen : ctr->keylen;
85
660
    for (i = 0; i < n; i++)
86
640
        ctr->K[i] ^= in[i];
87
20
    if (inlen <= ctr->keylen)
88
0
        return;
89
90
20
    n = inlen - ctr->keylen;
91
20
    if (n > 16) {
92
        /* Should never happen */
93
0
        n = 16;
94
0
    }
95
340
    for (i = 0; i < n; i++)
96
320
        ctr->V[i] ^= in[i + ctr->keylen];
97
20
}
98
99
/*
100
 * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
101
 */
102
__owur static int ctr_BCC_block(PROV_DRBG_CTR *ctr, unsigned char *out,
103
                                const unsigned char *in, int len)
104
62
{
105
62
    int i, outlen = AES_BLOCK_SIZE;
106
107
3.03k
    for (i = 0; i < len; i++)
108
2.97k
        out[i] ^= in[i];
109
110
62
    if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, len)
111
62
        || outlen != len)
112
0
        return 0;
113
62
    return 1;
114
62
}
115
116
117
/*
118
 * Handle several BCC operations for as much data as we need for K and X
119
 */
120
__owur static int ctr_BCC_blocks(PROV_DRBG_CTR *ctr, const unsigned char *in)
121
48
{
122
48
    unsigned char in_tmp[48];
123
48
    unsigned char num_of_blk = 2;
124
125
48
    memcpy(in_tmp, in, 16);
126
48
    memcpy(in_tmp + 16, in, 16);
127
48
    if (ctr->keylen != 16) {
128
48
        memcpy(in_tmp + 32, in, 16);
129
48
        num_of_blk = 3;
130
48
    }
131
48
    return ctr_BCC_block(ctr, ctr->KX, in_tmp, AES_BLOCK_SIZE * num_of_blk);
132
48
}
133
134
/*
135
 * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
136
 * see 10.3.1 stage 7.
137
 */
138
__owur static int ctr_BCC_init(PROV_DRBG_CTR *ctr)
139
14
{
140
14
    unsigned char bltmp[48] = {0};
141
14
    unsigned char num_of_blk;
142
143
14
    memset(ctr->KX, 0, 48);
144
14
    num_of_blk = ctr->keylen == 16 ? 2 : 3;
145
14
    bltmp[(AES_BLOCK_SIZE * 1) + 3] = 1;
146
14
    bltmp[(AES_BLOCK_SIZE * 2) + 3] = 2;
147
14
    return ctr_BCC_block(ctr, ctr->KX, bltmp, num_of_blk * AES_BLOCK_SIZE);
148
14
}
149
150
/*
151
 * Process several blocks into BCC algorithm, some possibly partial
152
 */
153
__owur static int ctr_BCC_update(PROV_DRBG_CTR *ctr,
154
                                 const unsigned char *in, size_t inlen)
155
56
{
156
56
    if (in == NULL || inlen == 0)
157
24
        return 1;
158
159
    /* If we have partial block handle it first */
160
32
    if (ctr->bltmp_pos) {
161
26
        size_t left = 16 - ctr->bltmp_pos;
162
163
        /* If we now have a complete block process it */
164
26
        if (inlen >= left) {
165
18
            memcpy(ctr->bltmp + ctr->bltmp_pos, in, left);
166
18
            if (!ctr_BCC_blocks(ctr, ctr->bltmp))
167
0
                return 0;
168
18
            ctr->bltmp_pos = 0;
169
18
            inlen -= left;
170
18
            in += left;
171
18
        }
172
26
    }
173
174
    /* Process zero or more complete blocks */
175
48
    for (; inlen >= 16; in += 16, inlen -= 16) {
176
16
        if (!ctr_BCC_blocks(ctr, in))
177
0
            return 0;
178
16
    }
179
180
    /* Copy any remaining partial block to the temporary buffer */
181
32
    if (inlen > 0) {
182
26
        memcpy(ctr->bltmp + ctr->bltmp_pos, in, inlen);
183
26
        ctr->bltmp_pos += inlen;
184
26
    }
185
32
    return 1;
186
32
}
187
188
__owur static int ctr_BCC_final(PROV_DRBG_CTR *ctr)
189
14
{
190
14
    if (ctr->bltmp_pos) {
191
14
        memset(ctr->bltmp + ctr->bltmp_pos, 0, 16 - ctr->bltmp_pos);
192
14
        if (!ctr_BCC_blocks(ctr, ctr->bltmp))
193
0
            return 0;
194
14
    }
195
14
    return 1;
196
14
}
197
198
__owur static int ctr_df(PROV_DRBG_CTR *ctr,
199
                         const unsigned char *in1, size_t in1len,
200
                         const unsigned char *in2, size_t in2len,
201
                         const unsigned char *in3, size_t in3len)
202
14
{
203
14
    static unsigned char c80 = 0x80;
204
14
    size_t inlen;
205
14
    unsigned char *p = ctr->bltmp;
206
14
    int outlen = AES_BLOCK_SIZE;
207
208
14
    if (!ctr_BCC_init(ctr))
209
0
        return 0;
210
14
    if (in1 == NULL)
211
0
        in1len = 0;
212
14
    if (in2 == NULL)
213
14
        in2len = 0;
214
14
    if (in3 == NULL)
215
10
        in3len = 0;
216
14
    inlen = in1len + in2len + in3len;
217
    /* Initialise L||N in temporary block */
218
14
    *p++ = (inlen >> 24) & 0xff;
219
14
    *p++ = (inlen >> 16) & 0xff;
220
14
    *p++ = (inlen >> 8) & 0xff;
221
14
    *p++ = inlen & 0xff;
222
223
    /* NB keylen is at most 32 bytes */
224
14
    *p++ = 0;
225
14
    *p++ = 0;
226
14
    *p++ = 0;
227
14
    *p = (unsigned char)((ctr->keylen + 16) & 0xff);
228
14
    ctr->bltmp_pos = 8;
229
14
    if (!ctr_BCC_update(ctr, in1, in1len)
230
14
        || !ctr_BCC_update(ctr, in2, in2len)
231
14
        || !ctr_BCC_update(ctr, in3, in3len)
232
14
        || !ctr_BCC_update(ctr, &c80, 1)
233
14
        || !ctr_BCC_final(ctr))
234
0
        return 0;
235
    /* Set up key K */
236
14
    if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->KX, NULL, -1))
237
0
        return 0;
238
    /* X follows key K */
239
14
    if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX, &outlen, ctr->KX + ctr->keylen,
240
14
                          AES_BLOCK_SIZE)
241
14
        || outlen != AES_BLOCK_SIZE)
242
0
        return 0;
243
14
    if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 16, &outlen, ctr->KX,
244
14
                          AES_BLOCK_SIZE)
245
14
        || outlen != AES_BLOCK_SIZE)
246
0
        return 0;
247
14
    if (ctr->keylen != 16)
248
14
        if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 32, &outlen,
249
14
                              ctr->KX + 16, AES_BLOCK_SIZE)
250
14
            || outlen != AES_BLOCK_SIZE)
251
0
            return 0;
252
14
    return 1;
253
14
}
254
255
/*
256
 * NB the no-df Update in SP800-90A specifies a constant input length
257
 * of seedlen, however other uses of this algorithm pad the input with
258
 * zeroes if necessary and have up to two parameters XORed together,
259
 * so we handle both cases in this function instead.
260
 */
261
__owur static int ctr_update(PROV_DRBG *drbg,
262
                             const unsigned char *in1, size_t in1len,
263
                             const unsigned char *in2, size_t in2len,
264
                             const unsigned char *nonce, size_t noncelen)
265
125k
{
266
125k
    PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
267
125k
    int outlen = AES_BLOCK_SIZE;
268
125k
    unsigned char V_tmp[48], out[48];
269
125k
    unsigned char len;
270
271
    /* correct key is already set up. */
272
125k
    memcpy(V_tmp, ctr->V, 16);
273
125k
    inc_128(ctr);
274
125k
    memcpy(V_tmp + 16, ctr->V, 16);
275
125k
    if (ctr->keylen == 16) {
276
0
        len = 32;
277
125k
    } else {
278
125k
        inc_128(ctr);
279
125k
        memcpy(V_tmp + 32, ctr->V, 16);
280
125k
        len = 48;
281
125k
    }
282
125k
    if (!EVP_CipherUpdate(ctr->ctx_ecb, out, &outlen, V_tmp, len)
283
125k
            || outlen != len)
284
0
        return 0;
285
125k
    memcpy(ctr->K, out, ctr->keylen);
286
125k
    memcpy(ctr->V, out + ctr->keylen, 16);
287
288
125k
    if (ctr->use_df) {
289
        /* If no input reuse existing derived value */
290
125k
        if (in1 != NULL || nonce != NULL || in2 != NULL)
291
14
            if (!ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len))
292
0
                return 0;
293
        /* If this a reuse input in1len != 0 */
294
125k
        if (in1len)
295
20
            ctr_XOR(ctr, ctr->KX, drbg->seedlen);
296
125k
    } else {
297
0
        ctr_XOR(ctr, in1, in1len);
298
0
        ctr_XOR(ctr, in2, in2len);
299
0
    }
300
301
125k
    if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1)
302
125k
        || !EVP_CipherInit_ex(ctr->ctx_ctr, NULL, NULL, ctr->K, NULL, -1))
303
0
        return 0;
304
125k
    return 1;
305
125k
}
306
307
static int drbg_ctr_instantiate(PROV_DRBG *drbg,
308
                                const unsigned char *entropy, size_t entropylen,
309
                                const unsigned char *nonce, size_t noncelen,
310
                                const unsigned char *pers, size_t perslen)
311
4
{
312
4
    PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
313
314
4
    if (entropy == NULL)
315
0
        return 0;
316
317
4
    memset(ctr->K, 0, sizeof(ctr->K));
318
4
    memset(ctr->V, 0, sizeof(ctr->V));
319
4
    if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1))
320
0
        return 0;
321
322
4
    inc_128(ctr);
323
4
    if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
324
0
        return 0;
325
4
    return 1;
326
4
}
327
328
static int drbg_ctr_instantiate_wrapper(void *vdrbg, unsigned int strength,
329
                                        int prediction_resistance,
330
                                        const unsigned char *pstr,
331
                                        size_t pstr_len,
332
                                        const OSSL_PARAM params[])
333
4
{
334
4
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
335
4
    int ret = 0;
336
337
4
    if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
338
0
        return 0;
339
340
4
    if (!ossl_prov_is_running()
341
4
            || !drbg_ctr_set_ctx_params_locked(drbg, params))
342
0
        goto err;
343
4
    ret = ossl_prov_drbg_instantiate(drbg, strength, prediction_resistance,
344
4
                                     pstr, pstr_len);
345
4
 err:
346
4
    if (drbg->lock != NULL)
347
0
        CRYPTO_THREAD_unlock(drbg->lock);
348
4
    return ret;
349
4
}
350
351
static int drbg_ctr_reseed(PROV_DRBG *drbg,
352
                           const unsigned char *entropy, size_t entropylen,
353
                           const unsigned char *adin, size_t adinlen)
354
4
{
355
4
    PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
356
357
4
    if (entropy == NULL)
358
0
        return 0;
359
360
4
    inc_128(ctr);
361
4
    if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
362
0
        return 0;
363
4
    return 1;
364
4
}
365
366
static int drbg_ctr_reseed_wrapper(void *vdrbg, int prediction_resistance,
367
                                   const unsigned char *ent, size_t ent_len,
368
                                   const unsigned char *adin, size_t adin_len)
369
0
{
370
0
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
371
372
0
    return ossl_prov_drbg_reseed(drbg, prediction_resistance, ent, ent_len,
373
0
                                 adin, adin_len);
374
0
}
375
376
static void ctr96_inc(unsigned char *counter)
377
0
{
378
0
    u32 n = 12, c = 1;
379
380
0
    do {
381
0
        --n;
382
0
        c += counter[n];
383
0
        counter[n] = (u8)c;
384
0
        c >>= 8;
385
0
    } while (n);
386
0
}
387
388
static int drbg_ctr_generate(PROV_DRBG *drbg,
389
                             unsigned char *out, size_t outlen,
390
                             const unsigned char *adin, size_t adinlen)
391
251k
{
392
251k
    PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
393
251k
    unsigned int ctr32, blocks;
394
251k
    int outl, buflen;
395
396
251k
    if (adin != NULL && adinlen != 0) {
397
12
        inc_128(ctr);
398
399
12
        if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
400
0
            return 0;
401
        /* This means we reuse derived value */
402
12
        if (ctr->use_df) {
403
12
            adin = NULL;
404
12
            adinlen = 1;
405
12
        }
406
251k
    } else {
407
251k
        adinlen = 0;
408
251k
    }
409
410
251k
    inc_128(ctr);
411
412
251k
    if (outlen == 0) {
413
0
        inc_128(ctr);
414
415
0
        if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
416
0
            return 0;
417
0
        return 1;
418
0
    }
419
420
251k
    memset(out, 0, outlen);
421
422
251k
    do {
423
251k
        if (!EVP_CipherInit_ex(ctr->ctx_ctr,
424
251k
                               NULL, NULL, NULL, ctr->V, -1))
425
0
            return 0;
426
427
        /*-
428
         * outlen has type size_t while EVP_CipherUpdate takes an
429
         * int argument and thus cannot be guaranteed to process more
430
         * than 2^31-1 bytes at a time. We process such huge generate
431
         * requests in 2^30 byte chunks, which is the greatest multiple
432
         * of AES block size lower than or equal to 2^31-1.
433
         */
434
251k
        buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
435
251k
        blocks = (buflen + 15) / 16;
436
437
251k
        ctr32 = GETU32(ctr->V + 12) + blocks;
438
251k
        if (ctr32 < blocks) {
439
            /* 32-bit counter overflow into V. */
440
0
            if (ctr32 != 0) {
441
0
                blocks -= ctr32;
442
0
                buflen = blocks * 16;
443
0
                ctr32 = 0;
444
0
            }
445
0
            ctr96_inc(ctr->V);
446
0
        }
447
251k
        PUTU32(ctr->V + 12, ctr32);
448
449
251k
        if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
450
251k
            || outl != buflen)
451
0
            return 0;
452
453
251k
        out += buflen;
454
251k
        outlen -= buflen;
455
251k
    } while (outlen);
456
457
251k
    if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
458
0
        return 0;
459
251k
    return 1;
460
251k
}
drbg_ctr.c:drbg_ctr_generate
Line
Count
Source
391
125k
{
392
125k
    PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
393
125k
    unsigned int ctr32, blocks;
394
125k
    int outl, buflen;
395
396
125k
    if (adin != NULL && adinlen != 0) {
397
6
        inc_128(ctr);
398
399
6
        if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
400
0
            return 0;
401
        /* This means we reuse derived value */
402
6
        if (ctr->use_df) {
403
6
            adin = NULL;
404
6
            adinlen = 1;
405
6
        }
406
125k
    } else {
407
125k
        adinlen = 0;
408
125k
    }
409
410
125k
    inc_128(ctr);
411
412
125k
    if (outlen == 0) {
413
0
        inc_128(ctr);
414
415
0
        if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
416
0
            return 0;
417
0
        return 1;
418
0
    }
419
420
125k
    memset(out, 0, outlen);
421
422
125k
    do {
423
125k
        if (!EVP_CipherInit_ex(ctr->ctx_ctr,
424
125k
                               NULL, NULL, NULL, ctr->V, -1))
425
0
            return 0;
426
427
        /*-
428
         * outlen has type size_t while EVP_CipherUpdate takes an
429
         * int argument and thus cannot be guaranteed to process more
430
         * than 2^31-1 bytes at a time. We process such huge generate
431
         * requests in 2^30 byte chunks, which is the greatest multiple
432
         * of AES block size lower than or equal to 2^31-1.
433
         */
434
125k
        buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
435
125k
        blocks = (buflen + 15) / 16;
436
437
125k
        ctr32 = GETU32(ctr->V + 12) + blocks;
438
125k
        if (ctr32 < blocks) {
439
            /* 32-bit counter overflow into V. */
440
0
            if (ctr32 != 0) {
441
0
                blocks -= ctr32;
442
0
                buflen = blocks * 16;
443
0
                ctr32 = 0;
444
0
            }
445
0
            ctr96_inc(ctr->V);
446
0
        }
447
125k
        PUTU32(ctr->V + 12, ctr32);
448
449
125k
        if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
450
125k
            || outl != buflen)
451
0
            return 0;
452
453
125k
        out += buflen;
454
125k
        outlen -= buflen;
455
125k
    } while (outlen);
456
457
125k
    if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
458
0
        return 0;
459
125k
    return 1;
460
125k
}
drbg_ctr.c:drbg_ctr_generate
Line
Count
Source
391
125k
{
392
125k
    PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
393
125k
    unsigned int ctr32, blocks;
394
125k
    int outl, buflen;
395
396
125k
    if (adin != NULL && adinlen != 0) {
397
6
        inc_128(ctr);
398
399
6
        if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
400
0
            return 0;
401
        /* This means we reuse derived value */
402
6
        if (ctr->use_df) {
403
6
            adin = NULL;
404
6
            adinlen = 1;
405
6
        }
406
125k
    } else {
407
125k
        adinlen = 0;
408
125k
    }
409
410
125k
    inc_128(ctr);
411
412
125k
    if (outlen == 0) {
413
0
        inc_128(ctr);
414
415
0
        if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
416
0
            return 0;
417
0
        return 1;
418
0
    }
419
420
125k
    memset(out, 0, outlen);
421
422
125k
    do {
423
125k
        if (!EVP_CipherInit_ex(ctr->ctx_ctr,
424
125k
                               NULL, NULL, NULL, ctr->V, -1))
425
0
            return 0;
426
427
        /*-
428
         * outlen has type size_t while EVP_CipherUpdate takes an
429
         * int argument and thus cannot be guaranteed to process more
430
         * than 2^31-1 bytes at a time. We process such huge generate
431
         * requests in 2^30 byte chunks, which is the greatest multiple
432
         * of AES block size lower than or equal to 2^31-1.
433
         */
434
125k
        buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
435
125k
        blocks = (buflen + 15) / 16;
436
437
125k
        ctr32 = GETU32(ctr->V + 12) + blocks;
438
125k
        if (ctr32 < blocks) {
439
            /* 32-bit counter overflow into V. */
440
0
            if (ctr32 != 0) {
441
0
                blocks -= ctr32;
442
0
                buflen = blocks * 16;
443
0
                ctr32 = 0;
444
0
            }
445
0
            ctr96_inc(ctr->V);
446
0
        }
447
125k
        PUTU32(ctr->V + 12, ctr32);
448
449
125k
        if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
450
125k
            || outl != buflen)
451
0
            return 0;
452
453
125k
        out += buflen;
454
125k
        outlen -= buflen;
455
125k
    } while (outlen);
456
457
125k
    if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
458
0
        return 0;
459
125k
    return 1;
460
125k
}
461
462
static int drbg_ctr_generate_wrapper
463
    (void *vdrbg, unsigned char *out, size_t outlen,
464
     unsigned int strength, int prediction_resistance,
465
     const unsigned char *adin, size_t adin_len)
466
125k
{
467
125k
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
468
469
125k
    return ossl_prov_drbg_generate(drbg, out, outlen, strength,
470
125k
                                   prediction_resistance, adin, adin_len);
471
125k
}
472
473
static int drbg_ctr_uninstantiate(PROV_DRBG *drbg)
474
0
{
475
0
    PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
476
477
0
    OPENSSL_cleanse(ctr->K, sizeof(ctr->K));
478
0
    OPENSSL_cleanse(ctr->V, sizeof(ctr->V));
479
0
    OPENSSL_cleanse(ctr->bltmp, sizeof(ctr->bltmp));
480
0
    OPENSSL_cleanse(ctr->KX, sizeof(ctr->KX));
481
0
    ctr->bltmp_pos = 0;
482
0
    return ossl_prov_drbg_uninstantiate(drbg);
483
0
}
484
485
static int drbg_ctr_uninstantiate_wrapper(void *vdrbg)
486
0
{
487
0
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
488
0
    int ret;
489
490
0
    if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
491
0
        return 0;
492
493
0
    ret = drbg_ctr_uninstantiate(drbg);
494
495
0
    if (drbg->lock != NULL)
496
0
        CRYPTO_THREAD_unlock(drbg->lock);
497
498
0
    return ret;
499
0
}
500
501
static int drbg_ctr_verify_zeroization(void *vdrbg)
502
0
{
503
0
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
504
0
    PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
505
0
    int ret = 0;
506
507
0
    if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock))
508
0
        return 0;
509
510
0
    PROV_DRBG_VERIFY_ZEROIZATION(ctr->K);
511
0
    PROV_DRBG_VERIFY_ZEROIZATION(ctr->V);
512
0
    PROV_DRBG_VERIFY_ZEROIZATION(ctr->bltmp);
513
0
    PROV_DRBG_VERIFY_ZEROIZATION(ctr->KX);
514
0
    if (ctr->bltmp_pos != 0)
515
0
        goto err;
516
517
0
    ret = 1;
518
0
 err:
519
0
    if (drbg->lock != NULL)
520
0
        CRYPTO_THREAD_unlock(drbg->lock);
521
0
    return ret;
522
0
}
523
524
static int drbg_ctr_init_lengths(PROV_DRBG *drbg)
525
8
{
526
8
    PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
527
8
    int res = 1;
528
529
    /* Maximum number of bits per request = 2^19  = 2^16 bytes */
530
8
    drbg->max_request = 1 << 16;
531
8
    if (ctr->use_df) {
532
8
        drbg->min_entropylen = 0;
533
8
        drbg->max_entropylen = DRBG_MAX_LENGTH;
534
8
        drbg->min_noncelen = 0;
535
8
        drbg->max_noncelen = DRBG_MAX_LENGTH;
536
8
        drbg->max_perslen = DRBG_MAX_LENGTH;
537
8
        drbg->max_adinlen = DRBG_MAX_LENGTH;
538
539
8
        if (ctr->keylen > 0) {
540
4
            drbg->min_entropylen = ctr->keylen;
541
4
            drbg->min_noncelen = drbg->min_entropylen / 2;
542
4
        }
543
8
    } else {
544
0
        const size_t len = ctr->keylen > 0 ? drbg->seedlen : DRBG_MAX_LENGTH;
545
546
0
        drbg->min_entropylen = len;
547
0
        drbg->max_entropylen = len;
548
        /* Nonce not used */
549
0
        drbg->min_noncelen = 0;
550
0
        drbg->max_noncelen = 0;
551
0
        drbg->max_perslen = len;
552
0
        drbg->max_adinlen = len;
553
0
    }
554
8
    return res;
555
8
}
556
557
static int drbg_ctr_init(PROV_DRBG *drbg)
558
4
{
559
4
    PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
560
4
    size_t keylen;
561
562
4
    if (ctr->cipher_ctr == NULL) {
563
0
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CIPHER);
564
0
        return 0;
565
0
    }
566
4
    ctr->keylen = keylen = EVP_CIPHER_get_key_length(ctr->cipher_ctr);
567
4
    if (ctr->ctx_ecb == NULL)
568
4
        ctr->ctx_ecb = EVP_CIPHER_CTX_new();
569
4
    if (ctr->ctx_ctr == NULL)
570
4
        ctr->ctx_ctr = EVP_CIPHER_CTX_new();
571
4
    if (ctr->ctx_ecb == NULL || ctr->ctx_ctr == NULL) {
572
0
        ERR_raise(ERR_LIB_PROV, ERR_R_EVP_LIB);
573
0
        goto err;
574
0
    }
575
576
4
    if (!EVP_CipherInit_ex(ctr->ctx_ecb,
577
4
                           ctr->cipher_ecb, NULL, NULL, NULL, 1)
578
4
        || !EVP_CipherInit_ex(ctr->ctx_ctr,
579
4
                              ctr->cipher_ctr, NULL, NULL, NULL, 1)) {
580
0
        ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_INITIALISE_CIPHERS);
581
0
        goto err;
582
0
    }
583
584
4
    drbg->strength = keylen * 8;
585
4
    drbg->seedlen = keylen + 16;
586
587
4
    if (ctr->use_df) {
588
        /* df initialisation */
589
4
        static const unsigned char df_key[32] = {
590
4
            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
591
4
            0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
592
4
            0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
593
4
            0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
594
4
        };
595
596
4
        if (ctr->ctx_df == NULL)
597
4
            ctr->ctx_df = EVP_CIPHER_CTX_new();
598
4
        if (ctr->ctx_df == NULL) {
599
0
            ERR_raise(ERR_LIB_PROV, ERR_R_EVP_LIB);
600
0
            goto err;
601
0
        }
602
        /* Set key schedule for df_key */
603
4
        if (!EVP_CipherInit_ex(ctr->ctx_df,
604
4
                               ctr->cipher_ecb, NULL, df_key, NULL, 1)) {
605
0
            ERR_raise(ERR_LIB_PROV, PROV_R_DERIVATION_FUNCTION_INIT_FAILED);
606
0
            goto err;
607
0
        }
608
4
    }
609
4
    return drbg_ctr_init_lengths(drbg);
610
611
0
err:
612
0
    EVP_CIPHER_CTX_free(ctr->ctx_ecb);
613
0
    EVP_CIPHER_CTX_free(ctr->ctx_ctr);
614
0
    ctr->ctx_ecb = ctr->ctx_ctr = NULL;
615
0
    return 0;
616
4
}
617
618
static int drbg_ctr_new(PROV_DRBG *drbg)
619
4
{
620
4
    PROV_DRBG_CTR *ctr;
621
622
4
    ctr = OPENSSL_secure_zalloc(sizeof(*ctr));
623
4
    if (ctr == NULL)
624
0
        return 0;
625
626
4
    ctr->use_df = 1;
627
4
    drbg->data = ctr;
628
4
    OSSL_FIPS_IND_INIT(drbg)
629
4
    return drbg_ctr_init_lengths(drbg);
630
4
}
631
632
static void *drbg_ctr_new_wrapper(void *provctx, void *parent,
633
                                   const OSSL_DISPATCH *parent_dispatch)
634
4
{
635
4
    return ossl_rand_drbg_new(provctx, parent, parent_dispatch,
636
4
                              &drbg_ctr_new, &drbg_ctr_free,
637
4
                              &drbg_ctr_instantiate, &drbg_ctr_uninstantiate,
638
4
                              &drbg_ctr_reseed, &drbg_ctr_generate);
639
4
}
640
641
static void drbg_ctr_free(void *vdrbg)
642
4
{
643
4
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
644
4
    PROV_DRBG_CTR *ctr;
645
646
4
    if (drbg != NULL && (ctr = (PROV_DRBG_CTR *)drbg->data) != NULL) {
647
4
        EVP_CIPHER_CTX_free(ctr->ctx_ecb);
648
4
        EVP_CIPHER_CTX_free(ctr->ctx_ctr);
649
4
        EVP_CIPHER_CTX_free(ctr->ctx_df);
650
4
        EVP_CIPHER_free(ctr->cipher_ecb);
651
4
        EVP_CIPHER_free(ctr->cipher_ctr);
652
653
4
        OPENSSL_secure_clear_free(ctr, sizeof(*ctr));
654
4
    }
655
4
    ossl_rand_drbg_free(drbg);
656
4
}
657
658
static int drbg_ctr_get_ctx_params(void *vdrbg, OSSL_PARAM params[])
659
251k
{
660
251k
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
661
251k
    PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
662
251k
    OSSL_PARAM *p;
663
251k
    int ret = 0, complete = 0;
664
665
251k
    if (!ossl_drbg_get_ctx_params_no_lock(drbg, params, &complete))
666
0
        return 0;
667
668
251k
    if (complete)
669
251k
        return 1;
670
671
8
    if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock))
672
0
        return 0;
673
674
8
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_USE_DF);
675
8
    if (p != NULL && !OSSL_PARAM_set_int(p, ctr->use_df))
676
0
        goto err;
677
678
8
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_CIPHER);
679
8
    if (p != NULL) {
680
0
        if (ctr->cipher_ctr == NULL
681
0
            || !OSSL_PARAM_set_utf8_string(p,
682
0
                                           EVP_CIPHER_get0_name(ctr->cipher_ctr)))
683
0
            goto err;
684
0
    }
685
686
8
    ret = ossl_drbg_get_ctx_params(drbg, params);
687
8
 err:
688
8
    if (drbg->lock != NULL)
689
8
        CRYPTO_THREAD_unlock(drbg->lock);
690
691
8
    return ret;
692
8
}
693
694
static const OSSL_PARAM *drbg_ctr_gettable_ctx_params(ossl_unused void *vctx,
695
                                                      ossl_unused void *provctx)
696
0
{
697
0
    static const OSSL_PARAM known_gettable_ctx_params[] = {
698
0
        OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0),
699
0
        OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL),
700
0
        OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON,
701
0
        OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
702
0
        OSSL_PARAM_END
703
0
    };
704
0
    return known_gettable_ctx_params;
705
0
}
706
707
static int drbg_ctr_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[])
708
4
{
709
4
    PROV_DRBG *ctx = (PROV_DRBG *)vctx;
710
4
    PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)ctx->data;
711
4
    OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
712
4
    const OSSL_PARAM *p;
713
4
    char *ecb;
714
4
    const char *propquery = NULL;
715
4
    int i, cipher_init = 0;
716
717
4
    if ((p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_USE_DF)) != NULL
718
4
            && OSSL_PARAM_get_int(p, &i)) {
719
        /* FIPS errors out in the drbg_ctr_init() call later */
720
4
        ctr->use_df = i != 0;
721
4
        cipher_init = 1;
722
4
    }
723
724
4
    if ((p = OSSL_PARAM_locate_const(params,
725
4
                                     OSSL_DRBG_PARAM_PROPERTIES)) != NULL) {
726
0
        if (p->data_type != OSSL_PARAM_UTF8_STRING)
727
0
            return 0;
728
0
        propquery = (const char *)p->data;
729
0
    }
730
731
4
    if ((p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_CIPHER)) != NULL) {
732
4
        const char *base = (const char *)p->data;
733
4
        size_t ctr_str_len = sizeof("CTR") - 1;
734
4
        size_t ecb_str_len = sizeof("ECB") - 1;
735
736
4
        if (p->data_type != OSSL_PARAM_UTF8_STRING
737
4
                || p->data_size < ctr_str_len)
738
0
            return 0;
739
4
        if (OPENSSL_strcasecmp("CTR", base + p->data_size - ctr_str_len) != 0) {
740
0
            ERR_raise(ERR_LIB_PROV, PROV_R_REQUIRE_CTR_MODE_CIPHER);
741
0
            return 0;
742
0
        }
743
4
        if ((ecb = OPENSSL_strndup(base, p->data_size)) == NULL)
744
0
            return 0;
745
4
        strcpy(ecb + p->data_size - ecb_str_len, "ECB");
746
4
        EVP_CIPHER_free(ctr->cipher_ecb);
747
4
        EVP_CIPHER_free(ctr->cipher_ctr);
748
4
        ctr->cipher_ctr = EVP_CIPHER_fetch(libctx, base, propquery);
749
4
        ctr->cipher_ecb = EVP_CIPHER_fetch(libctx, ecb, propquery);
750
4
        OPENSSL_free(ecb);
751
4
        if (ctr->cipher_ctr == NULL || ctr->cipher_ecb == NULL) {
752
0
            ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_FIND_CIPHERS);
753
0
            return 0;
754
0
        }
755
4
        cipher_init = 1;
756
4
    }
757
758
4
    if (cipher_init && !drbg_ctr_init(ctx))
759
0
        return 0;
760
761
4
    return ossl_drbg_set_ctx_params(ctx, params);
762
4
}
763
764
static int drbg_ctr_set_ctx_params(void *vctx, const OSSL_PARAM params[])
765
0
{
766
0
    PROV_DRBG *drbg = (PROV_DRBG *)vctx;
767
0
    int ret;
768
769
0
    if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
770
0
        return 0;
771
772
0
    ret = drbg_ctr_set_ctx_params_locked(vctx, params);
773
774
0
    if (drbg->lock != NULL)
775
0
        CRYPTO_THREAD_unlock(drbg->lock);
776
777
0
    return ret;
778
0
}
779
780
static const OSSL_PARAM *drbg_ctr_settable_ctx_params(ossl_unused void *vctx,
781
                                                      ossl_unused void *provctx)
782
4
{
783
4
    static const OSSL_PARAM known_settable_ctx_params[] = {
784
4
        OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0),
785
4
        OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0),
786
4
        OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL),
787
4
        OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON,
788
4
        OSSL_PARAM_END
789
4
    };
790
4
    return known_settable_ctx_params;
791
4
}
792
793
const OSSL_DISPATCH ossl_drbg_ctr_functions[] = {
794
    { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))drbg_ctr_new_wrapper },
795
    { OSSL_FUNC_RAND_FREECTX, (void(*)(void))drbg_ctr_free },
796
    { OSSL_FUNC_RAND_INSTANTIATE,
797
      (void(*)(void))drbg_ctr_instantiate_wrapper },
798
    { OSSL_FUNC_RAND_UNINSTANTIATE,
799
      (void(*)(void))drbg_ctr_uninstantiate_wrapper },
800
    { OSSL_FUNC_RAND_GENERATE, (void(*)(void))drbg_ctr_generate_wrapper },
801
    { OSSL_FUNC_RAND_RESEED, (void(*)(void))drbg_ctr_reseed_wrapper },
802
    { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))ossl_drbg_enable_locking },
803
    { OSSL_FUNC_RAND_LOCK, (void(*)(void))ossl_drbg_lock },
804
    { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))ossl_drbg_unlock },
805
    { OSSL_FUNC_RAND_SETTABLE_CTX_PARAMS,
806
      (void(*)(void))drbg_ctr_settable_ctx_params },
807
    { OSSL_FUNC_RAND_SET_CTX_PARAMS, (void(*)(void))drbg_ctr_set_ctx_params },
808
    { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
809
      (void(*)(void))drbg_ctr_gettable_ctx_params },
810
    { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))drbg_ctr_get_ctx_params },
811
    { OSSL_FUNC_RAND_VERIFY_ZEROIZATION,
812
      (void(*)(void))drbg_ctr_verify_zeroization },
813
    { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))ossl_drbg_get_seed },
814
    { OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))ossl_drbg_clear_seed },
815
    OSSL_DISPATCH_END
816
};