diff --git a/ChangeLog b/ChangeLog
index ca50c7e2f9a253067ef6b2a1018197515fda7abd..08547f703c01b2e2b128defa7469f46a76c4c263 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,14 @@
 2023-12-06  Niels Möller  <nisse@lysator.liu.se>
 
+	* drbg-ctr-aes256.c (drbg_ctr_aes256_output): New helper function.
+	(drbg_ctr_aes256_update, drbg_ctr_aes256_random): Use it.
+
 	From Simon Josefsson:
 	* drbg-ctr.h (struct drbg_ctr_aes256_ctx): New context struct.
 	(DRBG_CTR_AES256_SEED_SIZE): New constant.
 	* drbg-ctr-aes256.c (drbg_ctr_aes256_update)
 	(drbg_ctr_aes256_init, drbg_ctr_aes256_random): New file, new functions.
+
 	* testsuite/drbg-ctr-aes256-test.c: New testcase.
 	* nettle.texinfo (Randomness): Document DRBG-CTR.
 
diff --git a/drbg-ctr-aes256.c b/drbg-ctr-aes256.c
index 9a7badd6a1485d17a71dcbd9806cc8263cd84786..a62b62ecd400512295333cf8c2dc10032b3ef259 100644
--- a/drbg-ctr-aes256.c
+++ b/drbg-ctr-aes256.c
@@ -40,6 +40,25 @@
 #include "memxor.h"
 #include "block-internal.h"
 
+static void
+drbg_ctr_aes256_output (const struct aes256_ctx *key, union nettle_block16 *V,
+			size_t n, uint8_t *dst)
+{
+  for (; n >= AES_BLOCK_SIZE; n -= AES_BLOCK_SIZE, dst += AES_BLOCK_SIZE)
+    {
+      INCREMENT(AES_BLOCK_SIZE, V->b);
+      aes256_encrypt (key, AES_BLOCK_SIZE, dst, V->b);
+    }
+  if (n > 0)
+    {
+      union nettle_block16 block;
+
+      INCREMENT(AES_BLOCK_SIZE, V->b);
+      aes256_encrypt (key, AES_BLOCK_SIZE, block.b, V->b);
+      memcpy (dst, block.b, n);
+    }
+}
+
 /* provided_data is either NULL or a pointer to
    DRBG_CTR_AES256_SEED_SIZE (= 48) bytes. */
 static void
@@ -47,15 +66,7 @@ drbg_ctr_aes256_update (struct aes256_ctx *key,
 			union nettle_block16 *V, const uint8_t *provided_data)
 {
   union nettle_block16 tmp[3];
-
-  INCREMENT (AES_BLOCK_SIZE, V->b);
-  aes256_encrypt (key, AES_BLOCK_SIZE, tmp[0].b, V->b);
-
-  INCREMENT (AES_BLOCK_SIZE, V->b);
-  aes256_encrypt (key, AES_BLOCK_SIZE, tmp[1].b, V->b);
-
-  INCREMENT (AES_BLOCK_SIZE, V->b);
-  aes256_encrypt (key, AES_BLOCK_SIZE, tmp[2].b, V->b);
+  drbg_ctr_aes256_output (key, V, DRBG_CTR_AES256_SEED_SIZE, tmp[0].b);
 
   if (provided_data)
     memxor (tmp[0].b, provided_data, DRBG_CTR_AES256_SEED_SIZE);
@@ -79,22 +90,6 @@ void
 drbg_ctr_aes256_random (struct drbg_ctr_aes256_ctx *ctx,
 			size_t n, uint8_t *dst)
 {
-  while (n >= AES_BLOCK_SIZE)
-    {
-      INCREMENT (AES_BLOCK_SIZE, ctx->V.b);
-      aes256_encrypt (&ctx->key, AES_BLOCK_SIZE, dst, ctx->V.b);
-      dst += AES_BLOCK_SIZE;
-      n -= AES_BLOCK_SIZE;
-    }
-
-  if (n > 0)
-    {
-      union nettle_block16 block;
-
-      INCREMENT (AES_BLOCK_SIZE, ctx->V.b);
-      aes256_encrypt (&ctx->key, AES_BLOCK_SIZE, block.b, ctx->V.b);
-      memcpy (dst, block.b, n);
-    }
-
+  drbg_ctr_aes256_output (&ctx->key, &ctx->V, n, dst);
   drbg_ctr_aes256_update (&ctx->key, &ctx->V, NULL);
 }