using Org.BouncyCastle.Crypto.Parameters; using Org.BouncyCastle.Crypto.Utilities; using Org.BouncyCastle.Utilities; using Org.BouncyCastle.Utilities.Encoders; using System; namespace Org.BouncyCastle.Crypto.Prng.Drbg { public sealed class CtrSP800Drbg : ISP80090Drbg { private static readonly long TDEA_RESEED_MAX = 2147483648; private static readonly long AES_RESEED_MAX = 140737488355328; private static readonly int TDEA_MAX_BITS_REQUEST = 4096; private static readonly int AES_MAX_BITS_REQUEST = 262144; private readonly IEntropySource mEntropySource; private readonly IBlockCipher mEngine; private readonly int mKeySizeInBits; private readonly int mSeedLength; private readonly int mSecurityStrength; private byte[] mKey; private byte[] mV; private long mReseedCounter; private bool mIsTdea; private static readonly byte[] K_BITS = Hex.DecodeStrict("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"); public int BlockSize => mV.Length * 8; public CtrSP800Drbg(IBlockCipher engine, int keySizeInBits, int securityStrength, IEntropySource entropySource, byte[] personalizationString, byte[] nonce) { if (securityStrength > 256) throw new ArgumentException("Requested security strength is not supported by the derivation function"); if (GetMaxSecurityStrength(engine, keySizeInBits) < securityStrength) throw new ArgumentException("Requested security strength is not supported by block cipher and key size"); if (entropySource.EntropySize < securityStrength) throw new ArgumentException("Not enough entropy for security strength required"); mEntropySource = entropySource; mEngine = engine; mKeySizeInBits = keySizeInBits; mSecurityStrength = securityStrength; mSeedLength = keySizeInBits + engine.GetBlockSize() * 8; mIsTdea = IsTdea(engine); CTR_DRBG_Instantiate_algorithm(personalizationString, nonce); } private void CTR_DRBG_Instantiate_algorithm(byte[] personalisationString, byte[] nonce) { byte[] entropy = GetEntropy(); byte[] input = Arrays.ConcatenateAll(entropy, nonce, personalisationString); byte[] array = BlockCipherDF(input, mSeedLength / 8); int blockSize = mEngine.GetBlockSize(); mKey = new byte[(mKeySizeInBits + 7) / 8]; mV = new byte[blockSize]; CTR_DRBG_Update(array, mKey, mV); mReseedCounter = 1; } private unsafe void CTR_DRBG_Update(ReadOnlySpan<byte> seed, Span<byte> key, Span<byte> v) { int length = seed.Length; Span<byte> span; int num; if (length <= 256) { num = length; span = new Span<byte>(stackalloc byte[(int)(uint)num], num); } else span = new byte[length]; Span<byte> span2 = span; int blockSize = mEngine.GetBlockSize(); if (blockSize <= 64) { num = blockSize; span = new Span<byte>(stackalloc byte[(int)(uint)num], num); } else span = new byte[blockSize]; Span<byte> output = span; mEngine.Init(true, ExpandToKeyParameter(key)); for (int i = 0; i * blockSize < seed.Length; i++) { AddOneTo(v); mEngine.ProcessBlock(v, output); int length2 = System.Math.Min(blockSize, span2.Length - i * blockSize); span = output.Slice(0, length2); num = i * blockSize; span.CopyTo(span2.Slice(num, span2.Length - num)); } Bytes.XorTo(length, seed, span2); key.CopyFrom(span2); num = key.Length; v.CopyFrom(span2.Slice(num, span2.Length - num)); } private unsafe void CTR_DRBG_Reseed_algorithm(ReadOnlySpan<byte> additionalInput) { int entropyLength = GetEntropyLength(); int num = entropyLength + additionalInput.Length; Span<byte> span; int num2; if (num <= 256) { num2 = num; span = new Span<byte>(stackalloc byte[(int)(uint)num2], num2); } else span = new byte[num]; Span<byte> span2 = span; GetEntropy(span2.Slice(0, entropyLength)); num2 = entropyLength; additionalInput.CopyTo(span2.Slice(num2, span2.Length - num2)); byte[] array = BlockCipherDF(span2, mSeedLength / 8); span2.Fill(0); CTR_DRBG_Update(array, mKey, mV); Array.Clear(array, 0, array.Length); mReseedCounter = 1; } private void AddOneTo(Span<byte> longer) { uint num = 1; int num2 = longer.Length; while (--num2 >= 0) { num += longer[num2]; longer[num2] = (byte)num; num >>= 8; } } private byte[] GetEntropy() { byte[] entropy = mEntropySource.GetEntropy(); if (entropy == null || entropy.Length < (mSecurityStrength + 7) / 8) throw new InvalidOperationException("Insufficient entropy provided by entropy source"); return entropy; } private int GetEntropy(Span<byte> output) { int entropy = mEntropySource.GetEntropy(output); if (entropy < (mSecurityStrength + 7) / 8) throw new InvalidOperationException("Insufficient entropy provided by entropy source"); return entropy; } private int GetEntropyLength() { return (mEntropySource.EntropySize + 7) / 8; } private byte[] BlockCipherDF(byte[] input, int N) { return BlockCipherDF(input.AsSpan(), N); } private unsafe byte[] BlockCipherDF(ReadOnlySpan<byte> input, int N) { int blockSize = mEngine.GetBlockSize(); int length = input.Length; int num = (8 + length + 1 + blockSize - 1) / blockSize * blockSize; Span<byte> span; int num2; if (num <= 256) { num2 = num; span = new Span<byte>(stackalloc byte[(int)(uint)num2], num2); } else span = new byte[num]; Span<byte> span2 = span; Pack.UInt32_To_BE((uint)length, span2); Pack.UInt32_To_BE((uint)N, span2.Slice(4, span2.Length - 4)); input.CopyTo(span2.Slice(8, span2.Length - 8)); span2[8 + length] = 128; int num3 = mKeySizeInBits / 8; int num4 = num3 + blockSize; if (num4 <= 128) { num2 = num4; span = new Span<byte>(stackalloc byte[(int)(uint)num2], num2); } else span = new byte[num4]; Span<byte> span3 = span; if (blockSize <= 64) { num2 = blockSize; span = new Span<byte>(stackalloc byte[(int)(uint)num2], num2); } else span = new byte[blockSize]; Span<byte> bccOut = span; if (blockSize <= 64) { num2 = blockSize; span = new Span<byte>(stackalloc byte[(int)(uint)num2], num2); } else span = new byte[blockSize]; Span<byte> span4 = span; KeyParameter parameters = ExpandToKeyParameter(K_BITS.AsSpan(0, num3)); mEngine.Init(true, parameters); for (int i = 0; i * blockSize < num4; i++) { Pack.UInt32_To_BE((uint)i, span4); BCC(bccOut, span4, span2); int length2 = System.Math.Min(blockSize, num4 - i * blockSize); span = bccOut.Slice(0, length2); num2 = i * blockSize; span.CopyTo(span3.Slice(num2, span3.Length - num2)); } KeyParameter parameters2 = ExpandToKeyParameter(span3.Slice(0, num3)); mEngine.Init(true, parameters2); num2 = num3; Span<byte> span5 = span3.Slice(num2, span3.Length - num2); byte[] array = new byte[N]; for (int j = 0; j * blockSize < array.Length; j++) { mEngine.ProcessBlock(span5, span5); int length3 = System.Math.Min(blockSize, array.Length - j * blockSize); span = span5.Slice(0, length3); span.CopyTo(array.AsSpan(j * blockSize)); } return array; } private unsafe void BCC(Span<byte> bccOut, ReadOnlySpan<byte> iV, ReadOnlySpan<byte> data) { int blockSize = mEngine.GetBlockSize(); Span<byte> span; if (blockSize <= 64) { int num = blockSize; span = new Span<byte>(stackalloc byte[(int)(uint)num], num); } else span = new byte[blockSize]; Span<byte> span2 = span; if (blockSize <= 64) { int num = blockSize; span = new Span<byte>(stackalloc byte[(int)(uint)num], num); } else span = new byte[blockSize]; Span<byte> span3 = span; mEngine.ProcessBlock(iV, span2); int num2 = data.Length / blockSize; for (int i = 0; i < num2; i++) { int len = blockSize; ReadOnlySpan<byte> x = span2; int num = i * blockSize; Bytes.Xor(len, x, data.Slice(num, data.Length - num), span3); mEngine.ProcessBlock(span3, span2); } bccOut.CopyFrom(span2); } public int Generate(byte[] output, int outputOff, int outputLen, byte[] additionalInput, bool predictionResistant) { Span<byte> output2 = output.AsSpan(outputOff, outputLen); if (additionalInput != null) return GenerateWithInput(output2, additionalInput.AsSpan(), predictionResistant); return Generate(output2, predictionResistant); } public int Generate(Span<byte> output, bool predictionResistant) { int length = output.Length; if (mIsTdea) { if (mReseedCounter > TDEA_RESEED_MAX) return -1; if (length > TDEA_MAX_BITS_REQUEST / 8) throw new ArgumentException("Number of bits per request limited to " + TDEA_MAX_BITS_REQUEST.ToString(), "output"); } else { if (mReseedCounter > AES_RESEED_MAX) return -1; if (length > AES_MAX_BITS_REQUEST / 8) throw new ArgumentException("Number of bits per request limited to " + AES_MAX_BITS_REQUEST.ToString(), "output"); } if (predictionResistant) CTR_DRBG_Reseed_algorithm(ReadOnlySpan<byte>.Empty); byte[] array = new byte[mSeedLength / 8]; return ImplGenerate(array, output); } public int GenerateWithInput(Span<byte> output, ReadOnlySpan<byte> additionalInput, bool predictionResistant) { int length = output.Length; if (mIsTdea) { if (mReseedCounter > TDEA_RESEED_MAX) return -1; if (length > TDEA_MAX_BITS_REQUEST / 8) throw new ArgumentException("Number of bits per request limited to " + TDEA_MAX_BITS_REQUEST.ToString(), "output"); } else { if (mReseedCounter > AES_RESEED_MAX) return -1; if (length > AES_MAX_BITS_REQUEST / 8) throw new ArgumentException("Number of bits per request limited to " + AES_MAX_BITS_REQUEST.ToString(), "output"); } int num = mSeedLength / 8; byte[] array; if (predictionResistant) { CTR_DRBG_Reseed_algorithm(additionalInput); array = new byte[num]; } else { array = BlockCipherDF(additionalInput, num); CTR_DRBG_Update(array, mKey, mV); } return ImplGenerate(array, output); } private unsafe int ImplGenerate(ReadOnlySpan<byte> seed, Span<byte> output) { mEngine.Init(true, ExpandToKeyParameter(mKey)); Span<byte> span; if (mV.Length <= 64) { int num = mV.Length; span = new Span<byte>(stackalloc byte[(int)(uint)num], num); } else span = new byte[mV.Length]; Span<byte> output2 = span; int length = output.Length; int i = 0; for (int num2 = length / output2.Length; i <= num2; i++) { int num3 = System.Math.Min(output2.Length, length - i * output2.Length); if (num3 != 0) { AddOneTo(mV); mEngine.ProcessBlock(mV, output2); span = output2.Slice(0, num3); int num = i * output2.Length; span.CopyTo(output.Slice(num, output.Length - num)); } } CTR_DRBG_Update(seed, mKey, mV); mReseedCounter++; return length * 8; } public void Reseed(byte[] additionalInput) { Reseed(Spans.FromNullableReadOnly(additionalInput)); } public void Reseed(ReadOnlySpan<byte> additionalInput) { CTR_DRBG_Reseed_algorithm(additionalInput); } private bool IsTdea(IBlockCipher cipher) { if (!cipher.AlgorithmName.Equals("DESede")) return cipher.AlgorithmName.Equals("TDEA"); return true; } private int GetMaxSecurityStrength(IBlockCipher cipher, int keySizeInBits) { if (IsTdea(cipher) && keySizeInBits == 168) return 112; if (cipher.AlgorithmName.Equals("AES")) return keySizeInBits; return -1; } private KeyParameter ExpandToKeyParameter(byte[] key) { if (!mIsTdea) return new KeyParameter(key); byte[] array = new byte[24]; PadKey(key, 0, array, 0); PadKey(key, 7, array, 8); PadKey(key, 14, array, 16); return new KeyParameter(array); } private unsafe KeyParameter ExpandToKeyParameter(ReadOnlySpan<byte> key) { if (!mIsTdea) return new KeyParameter(key); Span<byte> span = new Span<byte>(stackalloc byte[24], 24); PadKey(key, span); PadKey(key.Slice(7, key.Length - 7), span.Slice(8, span.Length - 8)); PadKey(key.Slice(14, key.Length - 14), span.Slice(16, span.Length - 16)); return new KeyParameter(span); } private void PadKey(byte[] keyMaster, int keyOff, byte[] tmp, int tmpOff) { PadKey(keyMaster.AsSpan(keyOff), tmp.AsSpan(tmpOff)); } private void PadKey(ReadOnlySpan<byte> keyMaster, Span<byte> tmp) { tmp[0] = (byte)(keyMaster[0] & 254); tmp[1] = (byte)((keyMaster[0] << 7) | ((keyMaster[1] & 252) >> 1)); tmp[2] = (byte)((keyMaster[1] << 6) | ((keyMaster[2] & 248) >> 2)); tmp[3] = (byte)((keyMaster[2] << 5) | ((keyMaster[3] & 240) >> 3)); tmp[4] = (byte)((keyMaster[3] << 4) | ((keyMaster[4] & 224) >> 4)); tmp[5] = (byte)((keyMaster[4] << 3) | ((keyMaster[5] & 192) >> 5)); tmp[6] = (byte)((keyMaster[5] << 2) | ((keyMaster[6] & 128) >> 6)); tmp[7] = (byte)(keyMaster[6] << 1); DesParameters.SetOddParity(tmp.Slice(0, 8)); } } }