1 /**
2  * \file hmac_drbg.h
3  *
4  * \brief The HMAC_DRBG pseudorandom generator.
5  *
6  * This module implements the HMAC_DRBG pseudorandom generator described
7  * in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using
8  * Deterministic Random Bit Generators</em>.
9  */
10 /*
11  *  Copyright The Mbed TLS Contributors
12  *  SPDX-License-Identifier: Apache-2.0
13  *
14  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
15  *  not use this file except in compliance with the License.
16  *  You may obtain a copy of the License at
17  *
18  *  http://www.apache.org/licenses/LICENSE-2.0
19  *
20  *  Unless required by applicable law or agreed to in writing, software
21  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
22  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
23  *  See the License for the specific language governing permissions and
24  *  limitations under the License.
25  */
26 #ifndef MBEDTLS_HMAC_DRBG_H
27 #define MBEDTLS_HMAC_DRBG_H
28 #include "mbedtls/private_access.h"
29 
30 #include "mbedtls/build_info.h"
31 
32 #include "mbedtls/md.h"
33 
34 #if defined(MBEDTLS_THREADING_C)
35 #include "mbedtls/threading.h"
36 #endif
37 
38 /*
39  * Error codes
40  */
41 /** Too many random requested in single call. */
42 #define MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG              -0x0003
43 /** Input too large (Entropy + additional). */
44 #define MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG                -0x0005
45 /** Read/write error in file. */
46 #define MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR                -0x0007
47 /** The entropy source failed. */
48 #define MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED        -0x0009
49 
50 /**
51  * \name SECTION: Module settings
52  *
53  * The configuration options you can set for this module are in this section.
54  * Either change them in mbedtls_config.h or define them on the compiler command line.
55  * \{
56  */
57 
58 #if !defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL)
59 #define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL   10000   /**< Interval before reseed is performed by default */
60 #endif
61 
62 #if !defined(MBEDTLS_HMAC_DRBG_MAX_INPUT)
63 #define MBEDTLS_HMAC_DRBG_MAX_INPUT         256     /**< Maximum number of additional input bytes */
64 #endif
65 
66 #if !defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST)
67 #define MBEDTLS_HMAC_DRBG_MAX_REQUEST       1024    /**< Maximum number of requested bytes per call */
68 #endif
69 
70 #if !defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT)
71 #define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT    384     /**< Maximum size of (re)seed buffer */
72 #endif
73 
74 /** \} name SECTION: Module settings */
75 
76 #define MBEDTLS_HMAC_DRBG_PR_OFF   0   /**< No prediction resistance       */
77 #define MBEDTLS_HMAC_DRBG_PR_ON    1   /**< Prediction resistance enabled  */
78 
79 #ifdef __cplusplus
80 extern "C" {
81 #endif
82 
83 /**
84  * HMAC_DRBG context.
85  */
86 typedef struct mbedtls_hmac_drbg_context {
87     /* Working state: the key K is not stored explicitly,
88      * but is implied by the HMAC context */
89     mbedtls_md_context_t MBEDTLS_PRIVATE(md_ctx);                    /*!< HMAC context (inc. K)  */
90     unsigned char MBEDTLS_PRIVATE(V)[MBEDTLS_MD_MAX_SIZE];  /*!< V in the spec          */
91     int MBEDTLS_PRIVATE(reseed_counter);                     /*!< reseed counter         */
92 
93     /* Administrative state */
94     size_t MBEDTLS_PRIVATE(entropy_len);         /*!< entropy bytes grabbed on each (re)seed */
95     int MBEDTLS_PRIVATE(prediction_resistance);  /*!< enable prediction resistance (Automatic
96                                                     reseed before every random generation) */
97     int MBEDTLS_PRIVATE(reseed_interval);        /*!< reseed interval   */
98 
99     /* Callbacks */
100     int(*MBEDTLS_PRIVATE(f_entropy))(void *, unsigned char *, size_t);  /*!< entropy function */
101     void *MBEDTLS_PRIVATE(p_entropy);            /*!< context for the entropy function        */
102 
103 #if defined(MBEDTLS_THREADING_C)
104     /* Invariant: the mutex is initialized if and only if
105      * md_ctx->md_info != NULL. This means that the mutex is initialized
106      * during the initial seeding in mbedtls_hmac_drbg_seed() or
107      * mbedtls_hmac_drbg_seed_buf() and freed in mbedtls_ctr_drbg_free().
108      *
109      * Note that this invariant may change without notice. Do not rely on it
110      * and do not access the mutex directly in application code.
111      */
112     mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
113 #endif
114 } mbedtls_hmac_drbg_context;
115 
116 /**
117  * \brief               HMAC_DRBG context initialization.
118  *
119  * This function makes the context ready for mbedtls_hmac_drbg_seed(),
120  * mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free().
121  *
122  * \note                The reseed interval is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
123  *                      by default. Override this value by calling
124  *                      mbedtls_hmac_drbg_set_reseed_interval().
125  *
126  * \param ctx           HMAC_DRBG context to be initialized.
127  */
128 void mbedtls_hmac_drbg_init(mbedtls_hmac_drbg_context *ctx);
129 
130 /**
131  * \brief               HMAC_DRBG initial seeding.
132  *
133  * Set the initial seed and set up the entropy source for future reseeds.
134  *
135  * A typical choice for the \p f_entropy and \p p_entropy parameters is
136  * to use the entropy module:
137  * - \p f_entropy is mbedtls_entropy_func();
138  * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
139  *   with mbedtls_entropy_init() (which registers the platform's default
140  *   entropy sources).
141  *
142  * You can provide a personalization string in addition to the
143  * entropy source, to make this instantiation as unique as possible.
144  *
145  * \note                By default, the security strength as defined by NIST is:
146  *                      - 128 bits if \p md_info is SHA-1;
147  *                      - 192 bits if \p md_info is SHA-224;
148  *                      - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512.
149  *                      Note that SHA-256 is just as efficient as SHA-224.
150  *                      The security strength can be reduced if a smaller
151  *                      entropy length is set with
152  *                      mbedtls_hmac_drbg_set_entropy_len().
153  *
154  * \note                The default entropy length is the security strength
155  *                      (converted from bits to bytes). You can override
156  *                      it by calling mbedtls_hmac_drbg_set_entropy_len().
157  *
158  * \note                During the initial seeding, this function calls
159  *                      the entropy source to obtain a nonce
160  *                      whose length is half the entropy length.
161  */
162 #if defined(MBEDTLS_THREADING_C)
163 /**
164  * \note                When Mbed TLS is built with threading support,
165  *                      after this function returns successfully,
166  *                      it is safe to call mbedtls_hmac_drbg_random()
167  *                      from multiple threads. Other operations, including
168  *                      reseeding, are not thread-safe.
169  */
170 #endif /* MBEDTLS_THREADING_C */
171 /**
172  * \param ctx           HMAC_DRBG context to be seeded.
173  * \param md_info       MD algorithm to use for HMAC_DRBG.
174  * \param f_entropy     The entropy callback, taking as arguments the
175  *                      \p p_entropy context, the buffer to fill, and the
176  *                      length of the buffer.
177  *                      \p f_entropy is always called with a length that is
178  *                      less than or equal to the entropy length.
179  * \param p_entropy     The entropy context to pass to \p f_entropy.
180  * \param custom        The personalization string.
181  *                      This can be \c NULL, in which case the personalization
182  *                      string is empty regardless of the value of \p len.
183  * \param len           The length of the personalization string.
184  *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
185  *                      and also at most
186  *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2
187  *                      where \p entropy_len is the entropy length
188  *                      described above.
189  *
190  * \return              \c 0 if successful.
191  * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
192  *                      invalid.
193  * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
194  *                      memory to allocate context data.
195  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
196  *                      if the call to \p f_entropy failed.
197  */
198 int mbedtls_hmac_drbg_seed(mbedtls_hmac_drbg_context *ctx,
199                            const mbedtls_md_info_t *md_info,
200                            int (*f_entropy)(void *, unsigned char *, size_t),
201                            void *p_entropy,
202                            const unsigned char *custom,
203                            size_t len);
204 
205 /**
206  * \brief               Initialisation of simplified HMAC_DRBG (never reseeds).
207  *
208  * This function is meant for use in algorithms that need a pseudorandom
209  * input such as deterministic ECDSA.
210  */
211 #if defined(MBEDTLS_THREADING_C)
212 /**
213  * \note                When Mbed TLS is built with threading support,
214  *                      after this function returns successfully,
215  *                      it is safe to call mbedtls_hmac_drbg_random()
216  *                      from multiple threads. Other operations, including
217  *                      reseeding, are not thread-safe.
218  */
219 #endif /* MBEDTLS_THREADING_C */
220 /**
221  * \param ctx           HMAC_DRBG context to be initialised.
222  * \param md_info       MD algorithm to use for HMAC_DRBG.
223  * \param data          Concatenation of the initial entropy string and
224  *                      the additional data.
225  * \param data_len      Length of \p data in bytes.
226  *
227  * \return              \c 0 if successful. or
228  * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
229  *                      invalid.
230  * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
231  *                      memory to allocate context data.
232  */
233 int mbedtls_hmac_drbg_seed_buf(mbedtls_hmac_drbg_context *ctx,
234                                const mbedtls_md_info_t *md_info,
235                                const unsigned char *data, size_t data_len);
236 
237 /**
238  * \brief               This function turns prediction resistance on or off.
239  *                      The default value is off.
240  *
241  * \note                If enabled, entropy is gathered at the beginning of
242  *                      every call to mbedtls_hmac_drbg_random_with_add()
243  *                      or mbedtls_hmac_drbg_random().
244  *                      Only use this if your entropy source has sufficient
245  *                      throughput.
246  *
247  * \param ctx           The HMAC_DRBG context.
248  * \param resistance    #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF.
249  */
250 void mbedtls_hmac_drbg_set_prediction_resistance(mbedtls_hmac_drbg_context *ctx,
251                                                  int resistance);
252 
253 /**
254  * \brief               This function sets the amount of entropy grabbed on each
255  *                      seed or reseed.
256  *
257  * See the documentation of mbedtls_hmac_drbg_seed() for the default value.
258  *
259  * \param ctx           The HMAC_DRBG context.
260  * \param len           The amount of entropy to grab, in bytes.
261  */
262 void mbedtls_hmac_drbg_set_entropy_len(mbedtls_hmac_drbg_context *ctx,
263                                        size_t len);
264 
265 /**
266  * \brief               Set the reseed interval.
267  *
268  * The reseed interval is the number of calls to mbedtls_hmac_drbg_random()
269  * or mbedtls_hmac_drbg_random_with_add() after which the entropy function
270  * is called again.
271  *
272  * The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL.
273  *
274  * \param ctx           The HMAC_DRBG context.
275  * \param interval      The reseed interval.
276  */
277 void mbedtls_hmac_drbg_set_reseed_interval(mbedtls_hmac_drbg_context *ctx,
278                                            int interval);
279 
280 /**
281  * \brief               This function updates the state of the HMAC_DRBG context.
282  *
283  * \note                This function is not thread-safe. It is not safe
284  *                      to call this function if another thread might be
285  *                      concurrently obtaining random numbers from the same
286  *                      context or updating or reseeding the same context.
287  *
288  * \param ctx           The HMAC_DRBG context.
289  * \param additional    The data to update the state with.
290  *                      If this is \c NULL, there is no additional data.
291  * \param add_len       Length of \p additional in bytes.
292  *                      Unused if \p additional is \c NULL.
293  *
294  * \return              \c 0 on success, or an error from the underlying
295  *                      hash calculation.
296  */
297 int mbedtls_hmac_drbg_update(mbedtls_hmac_drbg_context *ctx,
298                              const unsigned char *additional, size_t add_len);
299 
300 /**
301  * \brief               This function reseeds the HMAC_DRBG context, that is
302  *                      extracts data from the entropy source.
303  *
304  * \note                This function is not thread-safe. It is not safe
305  *                      to call this function if another thread might be
306  *                      concurrently obtaining random numbers from the same
307  *                      context or updating or reseeding the same context.
308  *
309  * \param ctx           The HMAC_DRBG context.
310  * \param additional    Additional data to add to the state.
311  *                      If this is \c NULL, there is no additional data
312  *                      and \p len should be \c 0.
313  * \param len           The length of the additional data.
314  *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
315  *                      and also at most
316  *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len
317  *                      where \p entropy_len is the entropy length
318  *                      (see mbedtls_hmac_drbg_set_entropy_len()).
319  *
320  * \return              \c 0 if successful.
321  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
322  *                      if a call to the entropy function failed.
323  */
324 int mbedtls_hmac_drbg_reseed(mbedtls_hmac_drbg_context *ctx,
325                              const unsigned char *additional, size_t len);
326 
327 /**
328  * \brief   This function updates an HMAC_DRBG instance with additional
329  *          data and uses it to generate random data.
330  *
331  * This function automatically reseeds if the reseed counter is exceeded
332  * or prediction resistance is enabled.
333  *
334  * \note                This function is not thread-safe. It is not safe
335  *                      to call this function if another thread might be
336  *                      concurrently obtaining random numbers from the same
337  *                      context or updating or reseeding the same context.
338  *
339  * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
340  *                      #mbedtls_hmac_drbg_context structure.
341  * \param output        The buffer to fill.
342  * \param output_len    The length of the buffer in bytes.
343  *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
344  * \param additional    Additional data to update with.
345  *                      If this is \c NULL, there is no additional data
346  *                      and \p add_len should be \c 0.
347  * \param add_len       The length of the additional data.
348  *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT.
349  *
350  * \return              \c 0 if successful.
351  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
352  *                      if a call to the entropy source failed.
353  * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
354  *                      \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
355  * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if
356  *                      \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT.
357  */
358 int mbedtls_hmac_drbg_random_with_add(void *p_rng,
359                                       unsigned char *output, size_t output_len,
360                                       const unsigned char *additional,
361                                       size_t add_len);
362 
363 /**
364  * \brief   This function uses HMAC_DRBG to generate random data.
365  *
366  * This function automatically reseeds if the reseed counter is exceeded
367  * or prediction resistance is enabled.
368  */
369 #if defined(MBEDTLS_THREADING_C)
370 /**
371  * \note                When Mbed TLS is built with threading support,
372  *                      it is safe to call mbedtls_ctr_drbg_random()
373  *                      from multiple threads. Other operations, including
374  *                      reseeding, are not thread-safe.
375  */
376 #endif /* MBEDTLS_THREADING_C */
377 /**
378  * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
379  *                      #mbedtls_hmac_drbg_context structure.
380  * \param output        The buffer to fill.
381  * \param out_len       The length of the buffer in bytes.
382  *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
383  *
384  * \return              \c 0 if successful.
385  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
386  *                      if a call to the entropy source failed.
387  * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
388  *                      \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
389  */
390 int mbedtls_hmac_drbg_random(void *p_rng, unsigned char *output, size_t out_len);
391 
392 /**
393  * \brief               This function resets HMAC_DRBG context to the state immediately
394  *                      after initial call of mbedtls_hmac_drbg_init().
395  *
396  * \param ctx           The HMAC_DRBG context to free.
397  */
398 void mbedtls_hmac_drbg_free(mbedtls_hmac_drbg_context *ctx);
399 
400 #if defined(MBEDTLS_FS_IO)
401 /**
402  * \brief               This function writes a seed file.
403  *
404  * \param ctx           The HMAC_DRBG context.
405  * \param path          The name of the file.
406  *
407  * \return              \c 0 on success.
408  * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
409  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed
410  *                      failure.
411  */
412 int mbedtls_hmac_drbg_write_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path);
413 
414 /**
415  * \brief               This function reads and updates a seed file. The seed
416  *                      is added to this instance.
417  *
418  * \param ctx           The HMAC_DRBG context.
419  * \param path          The name of the file.
420  *
421  * \return              \c 0 on success.
422  * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
423  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on
424  *                      reseed failure.
425  * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing
426  *                      seed file is too large.
427  */
428 int mbedtls_hmac_drbg_update_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path);
429 #endif /* MBEDTLS_FS_IO */
430 
431 
432 #if defined(MBEDTLS_SELF_TEST)
433 /**
434  * \brief               The HMAC_DRBG Checkup routine.
435  *
436  * \return              \c 0 if successful.
437  * \return              \c 1 if the test failed.
438  */
439 int mbedtls_hmac_drbg_self_test(int verbose);
440 #endif
441 
442 #ifdef __cplusplus
443 }
444 #endif
445 
446 #endif /* hmac_drbg.h */
447