1 /**
2  * \file hmac_drbg.h
3  *
4  * \brief The HMAC_DRBG pseudorandom generator.
5  *
6  * This module implements the HMAC_DRBG pseudorandom generator described
7  * in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using
8  * Deterministic Random Bit Generators</em>.
9  */
10 /*
11  *  Copyright The Mbed TLS Contributors
12  *  SPDX-License-Identifier: Apache-2.0
13  *
14  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
15  *  not use this file except in compliance with the License.
16  *  You may obtain a copy of the License at
17  *
18  *  http://www.apache.org/licenses/LICENSE-2.0
19  *
20  *  Unless required by applicable law or agreed to in writing, software
21  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
22  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
23  *  See the License for the specific language governing permissions and
24  *  limitations under the License.
25  */
26 #ifndef MBEDTLS_HMAC_DRBG_H
27 #define MBEDTLS_HMAC_DRBG_H
28 
29 #if !defined(MBEDTLS_CONFIG_FILE)
30 #include "mbedtls/config.h"
31 #else
32 #include MBEDTLS_CONFIG_FILE
33 #endif
34 
35 #include "mbedtls/md.h"
36 
37 #if defined(MBEDTLS_THREADING_C)
38 #include "mbedtls/threading.h"
39 #endif
40 
41 /*
42  * Error codes
43  */
44 /** Too many random requested in single call. */
45 #define MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG              -0x0003
46 /** Input too large (Entropy + additional). */
47 #define MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG                -0x0005
48 /** Read/write error in file. */
49 #define MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR                -0x0007
50 /** The entropy source failed. */
51 #define MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED        -0x0009
52 
53 /**
54  * \name SECTION: Module settings
55  *
56  * The configuration options you can set for this module are in this section.
57  * Either change them in config.h or define them on the compiler command line.
58  * \{
59  */
60 
61 #if !defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL)
62 #define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL   10000   /**< Interval before reseed is performed by default */
63 #endif
64 
65 #if !defined(MBEDTLS_HMAC_DRBG_MAX_INPUT)
66 #define MBEDTLS_HMAC_DRBG_MAX_INPUT         256     /**< Maximum number of additional input bytes */
67 #endif
68 
69 #if !defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST)
70 #define MBEDTLS_HMAC_DRBG_MAX_REQUEST       1024    /**< Maximum number of requested bytes per call */
71 #endif
72 
73 #if !defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT)
74 #define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT    384     /**< Maximum size of (re)seed buffer */
75 #endif
76 
77 /* \} name SECTION: Module settings */
78 
79 #define MBEDTLS_HMAC_DRBG_PR_OFF   0   /**< No prediction resistance       */
80 #define MBEDTLS_HMAC_DRBG_PR_ON    1   /**< Prediction resistance enabled  */
81 
82 #ifdef __cplusplus
83 extern "C" {
84 #endif
85 
86 /**
87  * HMAC_DRBG context.
88  */
89 typedef struct mbedtls_hmac_drbg_context
90 {
91     /* Working state: the key K is not stored explicitly,
92      * but is implied by the HMAC context */
93     mbedtls_md_context_t md_ctx;                    /*!< HMAC context (inc. K)  */
94     unsigned char V[MBEDTLS_MD_MAX_SIZE];  /*!< V in the spec          */
95     int reseed_counter;                     /*!< reseed counter         */
96 
97     /* Administrative state */
98     size_t entropy_len;         /*!< entropy bytes grabbed on each (re)seed */
99     int prediction_resistance;  /*!< enable prediction resistance (Automatic
100                                      reseed before every random generation) */
101     int reseed_interval;        /*!< reseed interval   */
102 
103     /* Callbacks */
104     int (*f_entropy)(void *, unsigned char *, size_t); /*!< entropy function */
105     void *p_entropy;            /*!< context for the entropy function        */
106 
107 #if defined(MBEDTLS_THREADING_C)
108     /* Invariant: the mutex is initialized if and only if
109      * md_ctx->md_info != NULL. This means that the mutex is initialized
110      * during the initial seeding in mbedtls_hmac_drbg_seed() or
111      * mbedtls_hmac_drbg_seed_buf() and freed in mbedtls_ctr_drbg_free().
112      *
113      * Note that this invariant may change without notice. Do not rely on it
114      * and do not access the mutex directly in application code.
115      */
116     mbedtls_threading_mutex_t mutex;
117 #endif
118 } mbedtls_hmac_drbg_context;
119 
120 /**
121  * \brief               HMAC_DRBG context initialization.
122  *
123  * This function makes the context ready for mbedtls_hmac_drbg_seed(),
124  * mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free().
125  *
126  * \note                The reseed interval is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
127  *                      by default. Override this value by calling
128  *                      mbedtls_hmac_drbg_set_reseed_interval().
129  *
130  * \param ctx           HMAC_DRBG context to be initialized.
131  */
132 void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx );
133 
134 /**
135  * \brief               HMAC_DRBG initial seeding.
136  *
137  * Set the initial seed and set up the entropy source for future reseeds.
138  *
139  * A typical choice for the \p f_entropy and \p p_entropy parameters is
140  * to use the entropy module:
141  * - \p f_entropy is mbedtls_entropy_func();
142  * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
143  *   with mbedtls_entropy_init() (which registers the platform's default
144  *   entropy sources).
145  *
146  * You can provide a personalization string in addition to the
147  * entropy source, to make this instantiation as unique as possible.
148  *
149  * \note                By default, the security strength as defined by NIST is:
150  *                      - 128 bits if \p md_info is SHA-1;
151  *                      - 192 bits if \p md_info is SHA-224;
152  *                      - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512.
153  *                      Note that SHA-256 is just as efficient as SHA-224.
154  *                      The security strength can be reduced if a smaller
155  *                      entropy length is set with
156  *                      mbedtls_hmac_drbg_set_entropy_len().
157  *
158  * \note                The default entropy length is the security strength
159  *                      (converted from bits to bytes). You can override
160  *                      it by calling mbedtls_hmac_drbg_set_entropy_len().
161  *
162  * \note                During the initial seeding, this function calls
163  *                      the entropy source to obtain a nonce
164  *                      whose length is half the entropy length.
165  */
166 #if defined(MBEDTLS_THREADING_C)
167 /**
168  * \note                When Mbed TLS is built with threading support,
169  *                      after this function returns successfully,
170  *                      it is safe to call mbedtls_hmac_drbg_random()
171  *                      from multiple threads. Other operations, including
172  *                      reseeding, are not thread-safe.
173  */
174 #endif /* MBEDTLS_THREADING_C */
175 /**
176  * \param ctx           HMAC_DRBG context to be seeded.
177  * \param md_info       MD algorithm to use for HMAC_DRBG.
178  * \param f_entropy     The entropy callback, taking as arguments the
179  *                      \p p_entropy context, the buffer to fill, and the
180  *                      length of the buffer.
181  *                      \p f_entropy is always called with a length that is
182  *                      less than or equal to the entropy length.
183  * \param p_entropy     The entropy context to pass to \p f_entropy.
184  * \param custom        The personalization string.
185  *                      This can be \c NULL, in which case the personalization
186  *                      string is empty regardless of the value of \p len.
187  * \param len           The length of the personalization string.
188  *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
189  *                      and also at most
190  *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2
191  *                      where \p entropy_len is the entropy length
192  *                      described above.
193  *
194  * \return              \c 0 if successful.
195  * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
196  *                      invalid.
197  * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
198  *                      memory to allocate context data.
199  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
200  *                      if the call to \p f_entropy failed.
201  */
202 int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
203                     const mbedtls_md_info_t * md_info,
204                     int (*f_entropy)(void *, unsigned char *, size_t),
205                     void *p_entropy,
206                     const unsigned char *custom,
207                     size_t len );
208 
209 /**
210  * \brief               Initilisation of simpified HMAC_DRBG (never reseeds).
211  *
212  * This function is meant for use in algorithms that need a pseudorandom
213  * input such as deterministic ECDSA.
214  */
215 #if defined(MBEDTLS_THREADING_C)
216 /**
217  * \note                When Mbed TLS is built with threading support,
218  *                      after this function returns successfully,
219  *                      it is safe to call mbedtls_hmac_drbg_random()
220  *                      from multiple threads. Other operations, including
221  *                      reseeding, are not thread-safe.
222  */
223 #endif /* MBEDTLS_THREADING_C */
224 /**
225  * \param ctx           HMAC_DRBG context to be initialised.
226  * \param md_info       MD algorithm to use for HMAC_DRBG.
227  * \param data          Concatenation of the initial entropy string and
228  *                      the additional data.
229  * \param data_len      Length of \p data in bytes.
230  *
231  * \return              \c 0 if successful. or
232  * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
233  *                      invalid.
234  * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
235  *                      memory to allocate context data.
236  */
237 int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
238                         const mbedtls_md_info_t * md_info,
239                         const unsigned char *data, size_t data_len );
240 
241 /**
242  * \brief               This function turns prediction resistance on or off.
243  *                      The default value is off.
244  *
245  * \note                If enabled, entropy is gathered at the beginning of
246  *                      every call to mbedtls_hmac_drbg_random_with_add()
247  *                      or mbedtls_hmac_drbg_random().
248  *                      Only use this if your entropy source has sufficient
249  *                      throughput.
250  *
251  * \param ctx           The HMAC_DRBG context.
252  * \param resistance    #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF.
253  */
254 void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx,
255                                           int resistance );
256 
257 /**
258  * \brief               This function sets the amount of entropy grabbed on each
259  *                      seed or reseed.
260  *
261  * See the documentation of mbedtls_hmac_drbg_seed() for the default value.
262  *
263  * \param ctx           The HMAC_DRBG context.
264  * \param len           The amount of entropy to grab, in bytes.
265  */
266 void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx,
267                                 size_t len );
268 
269 /**
270  * \brief               Set the reseed interval.
271  *
272  * The reseed interval is the number of calls to mbedtls_hmac_drbg_random()
273  * or mbedtls_hmac_drbg_random_with_add() after which the entropy function
274  * is called again.
275  *
276  * The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL.
277  *
278  * \param ctx           The HMAC_DRBG context.
279  * \param interval      The reseed interval.
280  */
281 void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx,
282                                     int interval );
283 
284 /**
285  * \brief               This function updates the state of the HMAC_DRBG context.
286  *
287  * \note                This function is not thread-safe. It is not safe
288  *                      to call this function if another thread might be
289  *                      concurrently obtaining random numbers from the same
290  *                      context or updating or reseeding the same context.
291  *
292  * \param ctx           The HMAC_DRBG context.
293  * \param additional    The data to update the state with.
294  *                      If this is \c NULL, there is no additional data.
295  * \param add_len       Length of \p additional in bytes.
296  *                      Unused if \p additional is \c NULL.
297  *
298  * \return              \c 0 on success, or an error from the underlying
299  *                      hash calculation.
300  */
301 int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx,
302                        const unsigned char *additional, size_t add_len );
303 
304 /**
305  * \brief               This function reseeds the HMAC_DRBG context, that is
306  *                      extracts data from the entropy source.
307  *
308  * \note                This function is not thread-safe. It is not safe
309  *                      to call this function if another thread might be
310  *                      concurrently obtaining random numbers from the same
311  *                      context or updating or reseeding the same context.
312  *
313  * \param ctx           The HMAC_DRBG context.
314  * \param additional    Additional data to add to the state.
315  *                      If this is \c NULL, there is no additional data
316  *                      and \p len should be \c 0.
317  * \param len           The length of the additional data.
318  *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
319  *                      and also at most
320  *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len
321  *                      where \p entropy_len is the entropy length
322  *                      (see mbedtls_hmac_drbg_set_entropy_len()).
323  *
324  * \return              \c 0 if successful.
325  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
326  *                      if a call to the entropy function failed.
327  */
328 int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
329                       const unsigned char *additional, size_t len );
330 
331 /**
332  * \brief   This function updates an HMAC_DRBG instance with additional
333  *          data and uses it to generate random data.
334  *
335  * This function automatically reseeds if the reseed counter is exceeded
336  * or prediction resistance is enabled.
337  *
338  * \note                This function is not thread-safe. It is not safe
339  *                      to call this function if another thread might be
340  *                      concurrently obtaining random numbers from the same
341  *                      context or updating or reseeding the same context.
342  *
343  * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
344  *                      #mbedtls_hmac_drbg_context structure.
345  * \param output        The buffer to fill.
346  * \param output_len    The length of the buffer in bytes.
347  *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
348  * \param additional    Additional data to update with.
349  *                      If this is \c NULL, there is no additional data
350  *                      and \p add_len should be \c 0.
351  * \param add_len       The length of the additional data.
352  *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT.
353  *
354  * \return              \c 0 if successful.
355  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
356  *                      if a call to the entropy source failed.
357  * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
358  *                      \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
359  * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if
360  *                      \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT.
361  */
362 int mbedtls_hmac_drbg_random_with_add( void *p_rng,
363                                unsigned char *output, size_t output_len,
364                                const unsigned char *additional,
365                                size_t add_len );
366 
367 /**
368  * \brief   This function uses HMAC_DRBG to generate random data.
369  *
370  * This function automatically reseeds if the reseed counter is exceeded
371  * or prediction resistance is enabled.
372  */
373 #if defined(MBEDTLS_THREADING_C)
374 /**
375  * \note                When Mbed TLS is built with threading support,
376  *                      it is safe to call mbedtls_ctr_drbg_random()
377  *                      from multiple threads. Other operations, including
378  *                      reseeding, are not thread-safe.
379  */
380 #endif /* MBEDTLS_THREADING_C */
381 /**
382  * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
383  *                      #mbedtls_hmac_drbg_context structure.
384  * \param output        The buffer to fill.
385  * \param out_len       The length of the buffer in bytes.
386  *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
387  *
388  * \return              \c 0 if successful.
389  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
390  *                      if a call to the entropy source failed.
391  * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
392  *                      \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
393  */
394 int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len );
395 
396 /**
397  * \brief               This function resets HMAC_DRBG context to the state immediately
398  *                      after initial call of mbedtls_hmac_drbg_init().
399  *
400  * \param ctx           The HMAC_DRBG context to free.
401  */
402 void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx );
403 
404 #if ! defined(MBEDTLS_DEPRECATED_REMOVED)
405 #if defined(MBEDTLS_DEPRECATED_WARNING)
406 #define MBEDTLS_DEPRECATED    __attribute__((deprecated))
407 #else
408 #define MBEDTLS_DEPRECATED
409 #endif
410 /**
411  * \brief               This function updates the state of the HMAC_DRBG context.
412  *
413  * \deprecated          Superseded by mbedtls_hmac_drbg_update_ret()
414  *                      in 2.16.0.
415  *
416  * \param ctx           The HMAC_DRBG context.
417  * \param additional    The data to update the state with.
418  *                      If this is \c NULL, there is no additional data.
419  * \param add_len       Length of \p additional in bytes.
420  *                      Unused if \p additional is \c NULL.
421  */
422 MBEDTLS_DEPRECATED void mbedtls_hmac_drbg_update(
423     mbedtls_hmac_drbg_context *ctx,
424     const unsigned char *additional, size_t add_len );
425 #undef MBEDTLS_DEPRECATED
426 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
427 
428 #if defined(MBEDTLS_FS_IO)
429 /**
430  * \brief               This function writes a seed file.
431  *
432  * \param ctx           The HMAC_DRBG context.
433  * \param path          The name of the file.
434  *
435  * \return              \c 0 on success.
436  * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
437  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed
438  *                      failure.
439  */
440 int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path );
441 
442 /**
443  * \brief               This function reads and updates a seed file. The seed
444  *                      is added to this instance.
445  *
446  * \param ctx           The HMAC_DRBG context.
447  * \param path          The name of the file.
448  *
449  * \return              \c 0 on success.
450  * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
451  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on
452  *                      reseed failure.
453  * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing
454  *                      seed file is too large.
455  */
456 int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path );
457 #endif /* MBEDTLS_FS_IO */
458 
459 
460 #if defined(MBEDTLS_SELF_TEST)
461 /**
462  * \brief               The HMAC_DRBG Checkup routine.
463  *
464  * \return              \c 0 if successful.
465  * \return              \c 1 if the test failed.
466  */
467 int mbedtls_hmac_drbg_self_test( int verbose );
468 #endif
469 
470 #ifdef __cplusplus
471 }
472 #endif
473 
474 #endif /* hmac_drbg.h */
475