Lines Matching +full:- +full:16 +full:g
33 unsigned char tmp[16]; in br_aesctr_drbg_init()
35 ctx->vtable = &br_aesctr_drbg_vtable; in br_aesctr_drbg_init()
37 aesctr->init(&ctx->sk.vtable, tmp, 16); in br_aesctr_drbg_init()
38 ctx->cc = 0; in br_aesctr_drbg_init()
57 * condition; also, it should work on 16-bit architectures in br_aesctr_drbg_generate()
58 * (where 'size_t' is 16 bits only). in br_aesctr_drbg_generate()
69 if ((uint32_t)(ctx->cc + ((clen + 15) >> 4)) > 32768) { in br_aesctr_drbg_generate()
70 clen = (32768 - ctx->cc) << 4; in br_aesctr_drbg_generate()
80 ctx->cc = ctx->sk.vtable->run(&ctx->sk.vtable, in br_aesctr_drbg_generate()
81 iv, ctx->cc, buf, clen); in br_aesctr_drbg_generate()
83 len -= clen; in br_aesctr_drbg_generate()
88 if (ctx->cc >= 32768) { in br_aesctr_drbg_generate()
99 * We use a Hirose construction on AES-256 to make a hash function. in br_aesctr_drbg_update()
101 * - running state consists in two 16-byte blocks G and H in br_aesctr_drbg_update()
102 * - initial values of G and H are conventional in br_aesctr_drbg_update()
103 * - there is a fixed block-sized constant C in br_aesctr_drbg_update()
104 * - for next data block m: in br_aesctr_drbg_update()
106 * G' = E(G) xor G in br_aesctr_drbg_update()
107 * H' = E(G xor C) xor G xor C in br_aesctr_drbg_update()
108 * G <- G', H <- H' in br_aesctr_drbg_update()
109 * - once all blocks have been processed, output is H||G in br_aesctr_drbg_update()
118 * - produce a state-dependent value s as encryption of an in br_aesctr_drbg_update()
119 * all-one block with AES and the current key in br_aesctr_drbg_update()
120 * - compute the new key as the first 128 bits of h(s||seed) in br_aesctr_drbg_update()
126 unsigned char s[16], iv[12]; in br_aesctr_drbg_update()
127 unsigned char G[16], H[16]; in br_aesctr_drbg_update() local
131 * Use an all-one IV to get a fresh output block that depends on the in br_aesctr_drbg_update()
135 memset(s, 0, 16); in br_aesctr_drbg_update()
136 ctx->sk.vtable->run(&ctx->sk.vtable, iv, 0xFFFFFFFF, s, 16); in br_aesctr_drbg_update()
139 * Set G[] and H[] to conventional start values. in br_aesctr_drbg_update()
141 memset(G, 0xB6, sizeof G); in br_aesctr_drbg_update()
151 unsigned char newG[16]; in br_aesctr_drbg_update()
156 memcpy(tmp, H, 16); in br_aesctr_drbg_update()
158 memcpy(tmp + 16, s, 16); in br_aesctr_drbg_update()
166 clen = len < 16 ? len : 16; in br_aesctr_drbg_update()
167 memcpy(tmp + 16, seed, clen); in br_aesctr_drbg_update()
168 memset(tmp + 16 + clen, 0, 16 - clen); in br_aesctr_drbg_update()
170 len -= clen; in br_aesctr_drbg_update()
172 ctx->sk.vtable->init(&ctx->sk.vtable, tmp, 32); in br_aesctr_drbg_update()
175 * Compute new G and H values. in br_aesctr_drbg_update()
177 memcpy(iv, G, 12); in br_aesctr_drbg_update()
178 memcpy(newG, G, 16); in br_aesctr_drbg_update()
179 ctx->sk.vtable->run(&ctx->sk.vtable, iv, in br_aesctr_drbg_update()
180 br_dec32be(G + 12), newG, 16); in br_aesctr_drbg_update()
182 memcpy(H, G, 16); in br_aesctr_drbg_update()
184 ctx->sk.vtable->run(&ctx->sk.vtable, iv, in br_aesctr_drbg_update()
185 br_dec32be(G + 12), H, 16); in br_aesctr_drbg_update()
186 memcpy(G, newG, 16); in br_aesctr_drbg_update()
190 * Output hash value is H||G. We truncate it to its first 128 bits, in br_aesctr_drbg_update()
193 ctx->sk.vtable->init(&ctx->sk.vtable, H, 16); in br_aesctr_drbg_update()
194 ctx->cc = 0; in br_aesctr_drbg_update()